CVE-2026-23220
Infinite Loop in Linux ksmbd Due to SMB2 Signature Verification Failure
Publication date: 2026-02-18
Last updated on: 2026-04-18
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.6 |
| linux | linux_kernel | 6.6 |
| linux | linux_kernel | From 5.15.145 (inc) to 5.16 (exc) |
| linux | linux_kernel | 6.6 |
| linux | linux_kernel | From 6.19 (inc) to 6.19.1 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.72 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.11 (exc) |
| linux | linux_kernel | From 6.1.71 (inc) to 6.1.164 (exc) |
| linux | linux_kernel | From 6.6.1 (inc) to 6.6.125 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's ksmbd component, where an infinite loop can occur due to improper handling of SMB2 signed request failures.
When a signed SMB2 request fails signature verification, the function __process_request() calls set_smb2_rsp_status() which resets a pointer called next_smb2_rcv_hdr_off to zero. This pointer is supposed to indicate the next command in a chain of SMB2 messages.
Resetting this pointer causes the system to lose track of the next command, leading the function is_chained_smb2_message() to repeatedly process the same failed request header. If the header's NextCommand field is non-zero, this results in an infinite loop.
The infinite loop causes the kernel log to be flooded with "bad smb2 signature" messages and leads to high CPU usage.
The issue is fixed by changing the processing loop to abort immediately instead of continuing from an invalid offset, preventing the infinite loop.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to enter an infinite loop when processing certain SMB2 signed requests that fail signature verification.
The infinite loop results in excessive CPU usage and flooding of the kernel log with error messages, which can degrade system performance and stability.
Such resource exhaustion could potentially lead to denial of service conditions on affected systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the kernel logs for repeated "bad smb2 signature" messages, which indicate that the system is stuck processing a failed SMB2 request in an infinite loop.
Additionally, high CPU usage related to the ksmbd service may be a symptom of this issue.
While no specific commands are provided, you can use standard Linux commands to check for these signs, such as:
- Use `dmesg | grep 'bad smb2 signature'` to search kernel logs for the error message.
- Use `top` or `htop` to monitor CPU usage and identify if ksmbd is consuming excessive CPU.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by a patch that changes the handling of failed SMB2 signature verification to abort processing instead of continuing in an infinite loop.
Therefore, the immediate mitigation step is to update the Linux kernel to a version that includes this fix.
Until the patch is applied, monitoring for the symptoms (kernel log flooding and high CPU usage) and restarting the ksmbd service if necessary may help temporarily alleviate the issue.