CVE-2026-53198
Analyzed Analyzed - Analysis Complete

Use-After-Free in ksmbd Linux Kernel SMB Server

Vulnerability report for CVE-2026-53198, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-07-06

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL A deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on conn->async_requests via setup_async_work(), with cancel_fn = smb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock. When the request is cancelled, the worker frees the file_lock with locks_free_lock() and takes the cancelled early-exit, which "goto out"s and never reaches release_async_work() -- the only site that unlinks the work from conn->async_requests and clears cancel_fn/cancel_argv. The work therefore stays matchable on async_requests with a live cancel_fn pointing at the freed file_lock, until connection teardown finally runs release_async_work(). smb2_cancel() fires cancel_fn unconditionally with no state guard, so a second SMB2_CANCEL for the same AsyncId, arriving in that window, re-runs smb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free: BUG: KASAN: slab-use-after-free in __locks_delete_block __locks_delete_block locks_delete_block ksmbd_vfs_posix_lock_unblock smb2_remove_blocked_lock smb2_cancel <- 2nd SMB2_CANCEL fires cancel_fn handle_ksmbd_work Allocated by ...: locks_alloc_lock <- smb2_lock Freed by ...: locks_free_lock <- smb2_lock (cancelled branch) ... cache file_lock_cache of size 192 Reproduced on mainline with KASAN by an authenticated SMB client. Skip a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback cannot be fired a second time.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-07-06
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.2 (inc) to 6.6.143 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.36 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.94 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.13 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 5.15 (inc) to 6.1.176 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability involves a use-after-free bug in the ksmbd component of the Linux kernel triggered by a second SMB2_CANCEL request on the same AsyncId. Detection would typically require monitoring for kernel error messages related to slab use-after-free or KASAN reports indicating issues in smb2_cancel or related functions.

You can check your system logs (e.g., dmesg or journalctl) for kernel BUG or KASAN slab-use-after-free messages referencing ksmbd or smb2_cancel.

Example commands to detect potential exploitation or triggering of this vulnerability include:

  • sudo dmesg | grep -i 'ksmbd\|smb2_cancel\|use-after-free\|KASAN'
  • sudo journalctl -k | grep -i 'ksmbd\|smb2_cancel\|use-after-free\|KASAN'

Additionally, monitoring SMB traffic for multiple SMB2_CANCEL requests with the same AsyncId from authenticated SMB clients could help identify attempts to trigger this bug, but this requires advanced network analysis tools and SMB protocol inspection.

Executive Summary

This vulnerability is a use-after-free bug in the Linux kernel's ksmbd component related to handling SMB2_CANCEL requests.

Specifically, when a deferred byte-range lock (SMB2_LOCK) that blocks is cancelled, the associated file_lock structure is freed but not properly unlinked from the async work queue. If a second SMB2_CANCEL request arrives before the connection teardown, it triggers a callback on the already freed file_lock, causing a use-after-free condition.

This can lead to kernel memory corruption or crashes, as demonstrated by the Kernel Address Sanitizer (KASAN) detecting the issue.

Impact Analysis

This vulnerability can cause kernel memory corruption or crashes due to the use-after-free condition in the ksmbd SMB server implementation.

An authenticated SMB client can exploit this by sending specially crafted SMB2_CANCEL requests, potentially leading to denial of service (system instability or crashes) or other unpredictable kernel behavior.

Mitigation Strategies

The vulnerability is fixed by skipping a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback cannot be fired a second time.

Therefore, the immediate mitigation step is to update the Linux kernel to a version that includes this fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53198. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart