Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers

smb2_oplock_break_noti() and smb2_lease_break_noti() read opinfo->conn
into a local with neither READ_ONCE() nor a NULL check. Both run from
oplock_break() after opinfo_get_list() has dropped ci->m_lock, so a
concurrent SMB2 LOGOFF (session_fd_check()) can set op->conn = NULL
under ci->m_lock within that window. ksmbd_conn_r_count_inc(conn) then
writes through NULL at offset 0xc4 -- a remotely triggerable oops.

Guard both reads the way compare_guid_key() already does: read
opinfo->conn with READ_ONCE() and return early if it is NULL, before
allocating the work struct so nothing leaks. A NULL conn means the
client is gone and the break is moot, so return 0; oplock_break() treats
that as success and runs the normal teardown.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the SMB server component ksmbd contains a race condition that allows a concurrent SMB2 LOGOFF to clear the opinfo->conn pointer while oplock/lease break notifiers are running. The notifiers read this pointer without a NULL check, causing a null pointer dereference that triggers a kernel oops and system crash. The flaw results in a denial of service; no evidence in the description indicates arbitrary code execution.

Affected Systems

All Linux kernels that incorporate the upstream ksmbd implementation without the patch are affected. No version range is specified, so any build of the kernel that has not applied the referenced commit is vulnerable.

Risk and Exploitability

Exploitation is possible remotely by a malicious SMB client that sequences lease or oplock requests with a LOGOFF to produce the race. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Because the flaw causes a kernel oops, an attacker can terminate the system, disrupting availability. There is no confirmed privilege escalation path beyond the crash, but the high impact and lack of mitigations make the risk significant.

Generated by OpenCVE AI on June 25, 2026 at 12:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the ksmbd patch and apply the update through your distribution’s package manager.
  • If a kernel update cannot be applied immediately, manually apply the commit that adds NULL checks to ksmbd’s oplock/lease break notifiers—pull the referenced patch and rebuild the kernel.
  • Restrict SMB traffic to trusted sources or disable oplock/lease handling in the SMB server configuration if the feature is not essential.

Generated by OpenCVE AI on June 25, 2026 at 12:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 12:15:00 +0000


Thu, 25 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CWE-872

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers smb2_oplock_break_noti() and smb2_lease_break_noti() read opinfo->conn into a local with neither READ_ONCE() nor a NULL check. Both run from oplock_break() after opinfo_get_list() has dropped ci->m_lock, so a concurrent SMB2 LOGOFF (session_fd_check()) can set op->conn = NULL under ci->m_lock within that window. ksmbd_conn_r_count_inc(conn) then writes through NULL at offset 0xc4 -- a remotely triggerable oops. Guard both reads the way compare_guid_key() already does: read opinfo->conn with READ_ONCE() and return early if it is NULL, before allocating the work struct so nothing leaks. A NULL conn means the client is gone and the break is moot, so return 0; oplock_break() treats that as success and runs the normal teardown.
Title ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:56.489Z

Reserved: 2026-06-09T07:44:35.395Z

Link: CVE-2026-53271

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53271 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T19:15:16Z

Weaknesses