CVE-2026-53046
Received Received - Intake
Use-After-Free in Linux Kernel ksmbd

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine ksmbd_crypt_message() sets a NULL completion callback on AEAD requests and does not handle the -EINPROGRESS return code from async hardware crypto engines like the Qualcomm Crypto Engine (QCE). When QCE returns -EINPROGRESS, ksmbd treats it as an error and immediately frees the request while the hardware DMA operation is still in flight. The DMA completion callback then dereferences freed memory, causing a NULL pointer crash: pc : qce_skcipher_done+0x24/0x174 lr : vchan_complete+0x230/0x27c ... el1h_64_irq+0x68/0x6c ksmbd_free_work_struct+0x20/0x118 [ksmbd] ksmbd_exit_file_cache+0x694/0xa4c [ksmbd] Use the standard crypto_wait_req() pattern with crypto_req_done() as the completion callback, matching the approach used by the SMB client in fs/smb/client/smb2ops.c. This properly handles both synchronous engines (immediate return) and async engines (-EINPROGRESS followed by callback notification).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53046
EUVD
EUVD-2026-38914
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is caused by improper handling of asynchronous crypto operations in the ksmbd kernel module, specifically with Qualcomm Crypto Engine (QCE). To mitigate this vulnerability, you should update your Linux kernel to a version where this issue is fixed.

The fix involves using the standard crypto_wait_req() pattern with crypto_req_done() as the completion callback, ensuring proper handling of both synchronous and asynchronous crypto engines. Applying the patch or upgrading to a kernel version that includes this fix will prevent the use-after-free and NULL pointer dereference.

Executive Summary

This vulnerability exists in the Linux kernel's ksmbd component, specifically in how it handles asynchronous cryptographic operations on Qualcomm Crypto Engine (QCE) hardware.

The function ksmbd_crypt_message() sets a NULL completion callback on AEAD requests and does not properly handle the -EINPROGRESS return code from async crypto engines like QCE.

When QCE returns -EINPROGRESS, ksmbd mistakenly treats it as an error and immediately frees the request while the hardware DMA operation is still ongoing.

This premature freeing leads to a use-after-free condition where the DMA completion callback dereferences memory that has already been freed, causing a NULL pointer crash.

The fix involves using the standard crypto_wait_req() pattern with crypto_req_done() as the completion callback, properly handling both synchronous and asynchronous crypto engines.

Impact Analysis

This vulnerability can cause a NULL pointer crash in the Linux kernel's ksmbd service when handling cryptographic operations on Qualcomm Crypto Engine hardware.

Such a crash can lead to denial of service (DoS) conditions, potentially disrupting SMB file sharing services on affected systems.

Because it involves kernel-level memory corruption (use-after-free), it might also be exploitable for more severe impacts, though this is not explicitly stated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53046. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart