Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL

A deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on
conn->async_requests via setup_async_work(), with cancel_fn =
smb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock.

When the request is cancelled, the worker frees the file_lock with
locks_free_lock() and takes the cancelled early-exit, which "goto out"s and never
reaches release_async_work() -- the only site that unlinks the work from
conn->async_requests and clears cancel_fn/cancel_argv. The work therefore stays
matchable on async_requests with a live cancel_fn pointing at the freed file_lock,
until connection teardown finally runs release_async_work().

smb2_cancel() fires cancel_fn unconditionally with no state guard, so a second
SMB2_CANCEL for the same AsyncId, arriving in that window, re-runs
smb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free:

BUG: KASAN: slab-use-after-free in __locks_delete_block
__locks_delete_block
locks_delete_block
ksmbd_vfs_posix_lock_unblock
smb2_remove_blocked_lock
smb2_cancel <- 2nd SMB2_CANCEL fires cancel_fn
handle_ksmbd_work
Allocated by ...: locks_alloc_lock <- smb2_lock
Freed by ...: locks_free_lock <- smb2_lock (cancelled branch)
... cache file_lock_cache of size 192

Reproduced on mainline with KASAN by an authenticated SMB client.

Skip a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback
cannot be fired a second time.
Published: 2026-06-25
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A deferred file_lock in the Linux kernel's ksmbd SMB2 handler was freed prematurely while its cancel callback remained registered. A second SMB2_CANCEL request could then trigger the freed callback, resulting in a slab use‑after‑free and kernel memory corruption. An authenticated SMB client can exercise this scenario, potentially crashing the kernel or exploiting the corruption to elevate privileges.

Affected Systems

All Linux kernel installations are impacted, as the issue resides in generic ksmbd code for the Linux kernel. Specific version information is not supplied, so any kernel build prior to the inclusion of the documented fix is considered vulnerable.

Risk and Exploitability

The vulnerability is a classic use‑after‑free that allows remote memory corruption via the SMB2 protocol. While its EPSS score is not publicly available and it is not in the CISA KEV catalog, the kernel‑level nature of the flaw indicates high severity. An attacker who can reach the SMB service on an affected system can exercise the double SMB2_CANCEL sequence to trigger kernel crash or privilege escalation. No mitigations are indicated in the description beyond applying the patch.

Generated by OpenCVE AI on June 25, 2026 at 10:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the ksmbd use‑after‑free fix, such as the commit referenced in the advisory (e.g., 0da2e073f9cbf...).
  • Limit SMB access by firewall rules or access controls to trusted hosts or users so that only authorized clients can reach the SMB service.
  • Disable legacy SMB protocols (e.g., SMBv1) and any unused SMB features, which reduces the attack surface that could be abused by an attacker.

Generated by OpenCVE AI on June 25, 2026 at 10:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL A deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on conn->async_requests via setup_async_work(), with cancel_fn = smb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock. When the request is cancelled, the worker frees the file_lock with locks_free_lock() and takes the cancelled early-exit, which "goto out"s and never reaches release_async_work() -- the only site that unlinks the work from conn->async_requests and clears cancel_fn/cancel_argv. The work therefore stays matchable on async_requests with a live cancel_fn pointing at the freed file_lock, until connection teardown finally runs release_async_work(). smb2_cancel() fires cancel_fn unconditionally with no state guard, so a second SMB2_CANCEL for the same AsyncId, arriving in that window, re-runs smb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free: BUG: KASAN: slab-use-after-free in __locks_delete_block __locks_delete_block locks_delete_block ksmbd_vfs_posix_lock_unblock smb2_remove_blocked_lock smb2_cancel <- 2nd SMB2_CANCEL fires cancel_fn handle_ksmbd_work Allocated by ...: locks_alloc_lock <- smb2_lock Freed by ...: locks_free_lock <- smb2_lock (cancelled branch) ... cache file_lock_cache of size 192 Reproduced on mainline with KASAN by an authenticated SMB client. Skip a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback cannot be fired a second time.
Title ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:07.650Z

Reserved: 2026-06-09T07:44:35.391Z

Link: CVE-2026-53198

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T11:00:11Z

Weaknesses