CVE-2026-53271
Analyzed Analyzed - Analysis Complete

NULL Pointer Dereference in ksmbd Kernel Module

Vulnerability report for CVE-2026-53271, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-07-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers smb2_oplock_break_noti() and smb2_lease_break_noti() read opinfo->conn into a local with neither READ_ONCE() nor a NULL check. Both run from oplock_break() after opinfo_get_list() has dropped ci->m_lock, so a concurrent SMB2 LOGOFF (session_fd_check()) can set op->conn = NULL under ci->m_lock within that window. ksmbd_conn_r_count_inc(conn) then writes through NULL at offset 0xc4 -- a remotely triggerable oops. Guard both reads the way compare_guid_key() already does: read opinfo->conn with READ_ONCE() and return early if it is NULL, before allocating the work struct so nothing leaks. A NULL conn means the client is gone and the break is moot, so return 0; oplock_break() treats that as success and runs the normal teardown.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-07-08
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.36 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.13 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.9 (inc) to 6.12.94 (exc)
linux linux_kernel From 6.6.32 (inc) to 6.6.143 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can cause a remote-triggerable kernel crash (oops) in systems running the affected Linux kernel with ksmbd enabled.

An attacker could exploit this flaw to cause a denial of service by crashing the kernel remotely, potentially disrupting services relying on SMB2 file sharing.

Executive Summary

This vulnerability exists in the Linux kernel's ksmbd component, specifically in the handling of oplock and lease break notifiers.

The functions smb2_oplock_break_noti() and smb2_lease_break_noti() read a connection pointer (opinfo->conn) without proper synchronization or NULL checks. Because these functions run after a lock has been released, a concurrent SMB2 LOGOFF operation can set this connection pointer to NULL.

If the connection pointer is NULL, subsequent code attempts to write through this NULL pointer, causing a remote-triggerable kernel crash (oops).

The fix involves reading the connection pointer atomically with READ_ONCE() and returning early if it is NULL, preventing the crash and ensuring proper teardown.

Mitigation Strategies

The vulnerability has been fixed in the Linux kernel by adding proper NULL checks and using READ_ONCE() when reading opinfo->conn in the ksmbd oplock/lease break notifiers.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart