CVE-2026-53271
Received Received - Intake
NULL Pointer Dereference in ksmbd Kernel Module

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers smb2_oplock_break_noti() and smb2_lease_break_noti() read opinfo->conn into a local with neither READ_ONCE() nor a NULL check. Both run from oplock_break() after opinfo_get_list() has dropped ci->m_lock, so a concurrent SMB2 LOGOFF (session_fd_check()) can set op->conn = NULL under ci->m_lock within that window. ksmbd_conn_r_count_inc(conn) then writes through NULL at offset 0xc4 -- a remotely triggerable oops. Guard both reads the way compare_guid_key() already does: read opinfo->conn with READ_ONCE() and return early if it is NULL, before allocating the work struct so nothing leaks. A NULL conn means the client is gone and the break is moot, so return 0; oplock_break() treats that as success and runs the normal teardown.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53271
EUVD
EUVD-2026-39222
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can cause a remote-triggerable kernel crash (oops) in systems running the affected Linux kernel with ksmbd enabled.

An attacker could exploit this flaw to cause a denial of service by crashing the kernel remotely, potentially disrupting services relying on SMB2 file sharing.

Executive Summary

This vulnerability exists in the Linux kernel's ksmbd component, specifically in the handling of oplock and lease break notifiers.

The functions smb2_oplock_break_noti() and smb2_lease_break_noti() read a connection pointer (opinfo->conn) without proper synchronization or NULL checks. Because these functions run after a lock has been released, a concurrent SMB2 LOGOFF operation can set this connection pointer to NULL.

If the connection pointer is NULL, subsequent code attempts to write through this NULL pointer, causing a remote-triggerable kernel crash (oops).

The fix involves reading the connection pointer atomically with READ_ONCE() and returning early if it is NULL, preventing the crash and ensuring proper teardown.

Mitigation Strategies

The vulnerability has been fixed in the Linux kernel by adding proper NULL checks and using READ_ONCE() when reading opinfo->conn in the ksmbd oplock/lease break notifiers.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart