CVE-2026-52944
Analyzed Analyzed - Analysis Complete

Permission Bypass in ksmbd via FSCTL_SET_SPARSE

Vulnerability report for CVE-2026-52944, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE FSCTL_SET_SPARSE in fsctl_set_sparse() modifies the file's sparse attribute and saves it through xattr without any permission checks. This exposes two issues: 1) A client on a read-only share can change the sparse attribute on files it opened, even though the share is read-only. Other FSCTL write operations already check test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE), but FSCTL_SET_SPARSE does not. 2) Even on writable shares, clients without FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES access should not modify the sparse attribute. Similar handle-level checks exist in other functions but are missing here. Add both share-level writable check and per-handle access check. Use goto out on error to avoid leaking file references.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-08
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.19 (inc) to 7.0.12 (exc)
linux linux_kernel From 5.15 (inc) to 6.6.143 (exc)
linux linux_kernel From 6.7 (inc) to 6.18.35 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ksmbd component, specifically related to the FSCTL_SET_SPARSE operation. The issue is that the function fsctl_set_sparse() modifies a file's sparse attribute and saves it without performing necessary permission checks.

Because of this, a client connected to a read-only share can change the sparse attribute on files it opened, even though the share should not allow modifications. Additionally, on writable shares, clients who lack the required FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES permissions can still modify the sparse attribute, which they should not be able to do.

The fix involves adding both a share-level writable check and a per-handle access check to ensure only authorized clients can modify the sparse attribute.

Impact Analysis

This vulnerability can allow unauthorized clients to modify file attributes on shares where they should not have write access.

  • On read-only shares, clients can change the sparse attribute of files despite the share being read-only.
  • On writable shares, clients without proper write permissions can still modify the sparse attribute.

Such unauthorized modifications could lead to unexpected file behavior, potential data integrity issues, or bypassing intended access controls.

Mitigation Strategies

The vulnerability is fixed by adding permission checks for the FSCTL_SET_SPARSE operation in the ksmbd Linux kernel module.

Immediate mitigation steps include updating the Linux kernel to a version that contains the fix for this issue.

  • Ensure that the kernel version includes the patch that adds share-level writable checks and per-handle access checks for FSCTL_SET_SPARSE.
  • Restrict access to SMB shares, especially read-only shares, to trusted clients only until the patch is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52944. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart