Impact
In the Linux kernel, the SMB server component ksmbd contains a race condition that allows a concurrent SMB2 LOGOFF to clear the opinfo->conn pointer while oplock/lease break notifiers are running. The notifiers read this pointer without a NULL check, causing a null pointer dereference that triggers a kernel oops and system crash. The flaw results in a denial of service; no evidence in the description indicates arbitrary code execution.
Affected Systems
All Linux kernels that incorporate the upstream ksmbd implementation without the patch are affected. No version range is specified, so any build of the kernel that has not applied the referenced commit is vulnerable.
Risk and Exploitability
Exploitation is possible remotely by a malicious SMB client that sequences lease or oplock requests with a LOGOFF to produce the race. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Because the flaw causes a kernel oops, an attacker can terminate the system, disrupting availability. There is no confirmed privilege escalation path beyond the crash, but the high impact and lack of mitigations make the risk significant.
OpenCVE Enrichment