CVE-2026-43376
Received Received - Intake
ksmbd Use-After-Free via Improper RCU Handling

Publication date: 2026-05-08

Last updated on: 2026-05-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free by using call_rcu() for oplock_info ksmbd currently frees oplock_info immediately using kfree(), even though it is accessed under RCU read-side critical sections in places like opinfo_get() and proc_show_files(). Since there is no RCU grace period delay between nullifying the pointer and freeing the memory, a reader can still access oplock_info structure after it has been freed. This can leads to a use-after-free especially in opinfo_get() where atomic_inc_not_zero() is called on already freed memory. Fix this by switching to deferred freeing using call_rcu().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43376
EUVD
EUVD-2026-28682
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ksmbd component, where a use-after-free error occurs due to improper memory management of the oplock_info structure.

Specifically, ksmbd frees the oplock_info structure immediately using kfree(), even though this structure is still accessed under RCU (Read-Copy-Update) read-side critical sections in functions like opinfo_get() and proc_show_files().

Because there is no RCU grace period delay between nullifying the pointer and freeing the memory, a reader can access the oplock_info structure after it has been freed, leading to a use-after-free condition.

This is particularly problematic in opinfo_get(), where atomic_inc_not_zero() is called on memory that may have already been freed.

The fix involves switching to deferred freeing of the oplock_info structure using call_rcu(), which ensures the memory is freed only after all readers have finished accessing it.

Mitigation Strategies

The vulnerability is fixed by updating the Linux kernel to a version where the ksmbd component uses call_rcu() for deferred freeing of oplock_info instead of immediate kfree().

Therefore, the immediate mitigation step is to apply the kernel update or patch that includes this fix.

Impact Analysis

This vulnerability can lead to a use-after-free condition in the Linux kernel's ksmbd component. Specifically, oplock_info structures are freed immediately without waiting for an RCU grace period, which can cause readers to access memory that has already been freed. This can result in undefined behavior, potential crashes, or security issues due to accessing invalid memory.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43376. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart