CVE-2026-53198
Received Received - Intake
Use-After-Free in ksmbd Linux Kernel SMB Server

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL A deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on conn->async_requests via setup_async_work(), with cancel_fn = smb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock. When the request is cancelled, the worker frees the file_lock with locks_free_lock() and takes the cancelled early-exit, which "goto out"s and never reaches release_async_work() -- the only site that unlinks the work from conn->async_requests and clears cancel_fn/cancel_argv. The work therefore stays matchable on async_requests with a live cancel_fn pointing at the freed file_lock, until connection teardown finally runs release_async_work(). smb2_cancel() fires cancel_fn unconditionally with no state guard, so a second SMB2_CANCEL for the same AsyncId, arriving in that window, re-runs smb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free: BUG: KASAN: slab-use-after-free in __locks_delete_block __locks_delete_block locks_delete_block ksmbd_vfs_posix_lock_unblock smb2_remove_blocked_lock smb2_cancel <- 2nd SMB2_CANCEL fires cancel_fn handle_ksmbd_work Allocated by ...: locks_alloc_lock <- smb2_lock Freed by ...: locks_free_lock <- smb2_lock (cancelled branch) ... cache file_lock_cache of size 192 Reproduced on mainline with KASAN by an authenticated SMB client. Skip a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback cannot be fired a second time.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53198
EUVD
EUVD-2026-39289
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel ksmbd *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free bug in the Linux kernel's ksmbd component related to handling SMB2_CANCEL requests.

Specifically, when a deferred byte-range lock (SMB2_LOCK) that blocks is cancelled, the associated file_lock structure is freed but not properly unlinked from the async work queue. If a second SMB2_CANCEL request arrives before the connection teardown, it triggers a callback on the already freed file_lock, causing a use-after-free condition.

This can lead to kernel memory corruption or crashes, as demonstrated by the Kernel Address Sanitizer (KASAN) detecting the issue.

Impact Analysis

This vulnerability can cause kernel memory corruption or crashes due to the use-after-free condition in the ksmbd SMB server implementation.

An authenticated SMB client can exploit this by sending specially crafted SMB2_CANCEL requests, potentially leading to denial of service (system instability or crashes) or other unpredictable kernel behavior.

Mitigation Strategies

The vulnerability is fixed by skipping a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback cannot be fired a second time.

Therefore, the immediate mitigation step is to update the Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53198. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart