CVE-2026-53271

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix NULL-deref of opinfo-conn in oplock/lease break notifiers smb2oplockbreaknoti and smb2leasebreaknoti read opinfo-conn into a local with neither READONCE nor a NULL check. Both run from oplockbreak after opinfogetlist h...

EUVD-2026-39222

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix NULL-deref of opinfo-conn in oplock/lease break notifiers smb2oplockbreaknoti and smb2leasebreaknoti read opinfo-conn into a local with neither READONCE nor a NULL check. Both run from oplockbreak after opinfogetlist h...

CVE-2026-53271

The CVE-2026-53271 issue affects the Linux kernel ksmbd during oplock/lease break notifications (smb2_oplock_break_noti and smb2_lease_break_noti). The root cause is reading opinfo->conn into a local variable without READ_ONCE() and without a NULL check after opinfo_get_list() has dropped ci-&...

CVE-2026-53198

In the Linux kernel ksmbd, CVE-2026-53198 describes a use-after-free in a deferred file_lock tied to SMB2_CANCEL handling. A deferred byte-range lock registers async work via setup_async_work() with a cancel_fn and cancel_argv[0] pointing at the file_lock. If the SMB2_CANCEL path frees the file_l...

CVE-2026-52944

A flaw was found in the Linux kernel's ksmbd component. This vulnerability allows a client to bypass intended permission restrictions by using the FSCTLSETSPARSE operation. Specifically, a client on a read-only share can modify a file's sparse attribute, and clients on writable shares can modify...

EUVD-2026-38864

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open ksmbdlookupfdcguid returns a ksmbdfile with its refcount incremented via ksmbdfpget. parsedurablehandlecontext in the DURABLEREQV2 case properly releases this...

EUVD-2026-38914

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine ksmbdcryptmessage sets a NULL completion callback on AEAD requests and does not handle the -EINPROGRESS return code from async hardware crypto engines like the...

CVE-2026-52944

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTLSETSPARSE FSCTLSETSPARSE in fsctlsetsparse modifies the file's sparse attribute and saves it through xattr without any permission checks. This exposes two...

EUVD-2026-38734

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTLSETSPARSE FSCTLSETSPARSE in fsctlsetsparse modifies the file's sparse attribute and saves it through xattr without any permission checks. This exposes two...

CVE-2026-52944

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTLSETSPARSE FSCTLSETSPARSE in fsctlsetsparse modifies the file's sparse attribute and saves it through xattr without any permission checks. This exposes two...

SUSE CVE-2026-52911

In the Linux kernel, the following vulnerability has been resolved: ksmbd: scope conn-binding slowpath to bound sessions only When the binding SESSIONSETUP sets conn-binding = true, the flag stays set after the call so that the global session lookup in ksmbdsessionlookupall can find the session,...

CVE-2026-52911

A flaw was found in the ksmbd component of the Linux kernel. This vulnerability allows an attacker to gain unauthorized access to session information or resources by exploiting an improper scope in the session binding mechanism. This could potentially compromise the integrity or confidentiality o...

CVE-2026-52911

In the Linux kernel, the following vulnerability has been resolved: ksmbd: scope conn-binding slowpath to bound sessions only When the binding SESSIONSETUP sets conn-binding = true, the flag stays set after the call so that the global session lookup in ksmbdsessionlookupall can find the session,...

Astra Linux – Vulnerability found in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fixed a slab-out-of-bounds issue in initsmb2rsphdr. When smb1 mounting fails, KASAN detects a slab-out-of-bounds issue in initsmb2rsphdr, as follows. For smb1’s negotiate56 bytes, initsmb2rsphdr is called for smb2. The iss...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: ksmbd: Added a bounds check for the durable handle context. A missing bounds check was added for the durable handle context...

Astra Linux – Vulnerability in Linux 5.15

A flaw was discovered in the ksmbd component of the Linux kernel, a high-performance in-kernel SMB server. The specific flaw exists in the processing of SMB2TREEDISCONNECT commands. The issue arises due to the lack of proper locking when performing operations on an object. An attacker can exploit...

Astra Linux – Vulnerability in Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbdirect: verifyremainingdatalength respects maxfragmentedrecvsize This issue is related to the check for dataoffset + datalength...

Astra Linux – Vulnerability in Linux 5.15

A flaw was discovered in the ksmbd component of the Linux kernel. A deadlock occurs when multiple session setup requests are sent simultaneously, which may lead to a denial of service...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: ksmbd: A memory leak was fixed in getfileallinfo. In getfileallinfo, if vfsgetattr fails, the function returns immediately without freeing the allocated filename, resulting in a memory leak. This issue was fixed by freeing the...

Astra Linux – Vulnerability in Linux 5.15

A issue was discovered in ksmbd within the Linux kernel versions 5.15 through 5.19, prior to 5.19.2. There is an out-of-bounds read and an OOPS error for SMB2write, when a large length is present in the zero DataOffset case. source-iocs-preserved const=SMB2WRITE...