CVE-2026-52944
Received Received - Intake
Permission Bypass in ksmbd via FSCTL_SET_SPARSE

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE FSCTL_SET_SPARSE in fsctl_set_sparse() modifies the file's sparse attribute and saves it through xattr without any permission checks. This exposes two issues: 1) A client on a read-only share can change the sparse attribute on files it opened, even though the share is read-only. Other FSCTL write operations already check test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE), but FSCTL_SET_SPARSE does not. 2) Even on writable shares, clients without FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES access should not modify the sparse attribute. Similar handle-level checks exist in other functions but are missing here. Add both share-level writable check and per-handle access check. Use goto out on error to avoid leaking file references.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52944
EUVD
EUVD-2026-38734
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel ksmbd *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is fixed by adding permission checks for the FSCTL_SET_SPARSE operation in the ksmbd Linux kernel module.

Immediate mitigation steps include updating the Linux kernel to a version that contains the fix for this issue.

  • Ensure that the kernel version includes the patch that adds share-level writable checks and per-handle access checks for FSCTL_SET_SPARSE.
  • Restrict access to SMB shares, especially read-only shares, to trusted clients only until the patch is applied.
Executive Summary

This vulnerability exists in the Linux kernel's ksmbd component, specifically related to the FSCTL_SET_SPARSE operation. The issue is that the function fsctl_set_sparse() modifies a file's sparse attribute and saves it without performing necessary permission checks.

Because of this, a client connected to a read-only share can change the sparse attribute on files it opened, even though the share should not allow modifications. Additionally, on writable shares, clients who lack the required FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES permissions can still modify the sparse attribute, which they should not be able to do.

The fix involves adding both a share-level writable check and a per-handle access check to ensure only authorized clients can modify the sparse attribute.

Impact Analysis

This vulnerability can allow unauthorized clients to modify file attributes on shares where they should not have write access.

  • On read-only shares, clients can change the sparse attribute of files despite the share being read-only.
  • On writable shares, clients without proper write permissions can still modify the sparse attribute.

Such unauthorized modifications could lead to unexpected file behavior, potential data integrity issues, or bypassing intended access controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52944. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart