Missing access checks on reparse point

Description Starting with Samba 4.21, users can create and delete NTFS-style reparse points https://en.wikipedia.org/wiki/NTFSreparsepoint via the SMB protocol. The Reparse Point Metadata is stored in an extended attribute named "user.SmbReparse" together with the FILEATTRIBUTEREPARSEPOINT bit in...

Astra Linux - уязвимость в samba

A flaw was discovered in Samba. The Samba smbd file server must map Windows group identities SIDs to Unix group IDs gids. The code responsible for this mapping contained a flaw that could allow it to read data beyond the end of the array, in the event that a negative cache entry was added to the...

Astra Linux - уязвимость в linux-6.1

In the Linux kernel, the following vulnerability has been resolved: ksmbd: The socket is closed after it has been accepted, even when the per-IP limit is exceeded and a connection attempt fails. When the per-IP connection limit is exceeded in ksmbdkthreadfn, the code sets ret to -EAGAIN and...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: ksmbd: The validation of response sizes in ipcvalidatemsg has been improved. ipcvalidatemsg calculates the expected message size for each response type by adding or multiplying attacker-controlled fields from the daemon’s...

CLSA-2026-1778859875 samba: Fix of CVE-2025-0620

Fix CVE-2025-0620: smbd doesn't pick up group membership changes when re-authenticating an expired SMB session...

EUVD-2026-28682

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free by using callrcu for oplockinfo ksmbd currently frees oplockinfo immediately using kfree, even though it is accessed under RCU read-side critical sections in places like opinfoget and procshowfiles. Sinc...

Astra Linux - уязвимость в linux-6.1

In the Linux kernel, the following vulnerability has been resolved: smb: Client: Fixed the smbdirectrecvio leak in the smbdnegotiate error path. During tests of another unrelated patch, I was able to trigger this error: Objects remaining on kmemcacheshutdown...

SUSE CVE-2026-31609

In the Linux kernel, the following vulnerability has been resolved: smb: client: avoid double-free in smbdfreesendio after smbdsendbatchflush smbdsendbatchflush already calls smbdfreesendio, so we should not call it again after smbdpostsend moved it to the batch list...

CVE-2026-31609

In the Linux kernel, the following vulnerability has been resolved: smb: client: avoid double-free in smbdfreesendio after smbdsendbatchflush smbdsendbatchflush already calls smbdfreesendio, so we should not call it again after smbdpostsend moved it to the batch list...

Linux kernel 安全漏洞

The Linux kernel is the core of the open-source operating system Linux, developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from repeated calls to smbdfreesendio after smbdsendbatchflush, resulting in double releases of...

PT-2026-34961

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A double-free issue exists in the SMB client. The function smbd send batch flush already invokes smbd free send io, leading to a second call to smbd free send io after smbd post send mov...

(Pwn2Own) QNAP TS-453E smbd domain_name Argument Injection Authentication Bypass Vulnerability

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of QNAP TS-453E devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of of the domainname parameter. The issue results from the la...

CVE-2025-71223

CVE-2025-71223 affects the Linux kernel's ksmbd SMB server path (smb2_open and ksmbd_vfs_getattr). The issue is a refcount leak when ksmbd_vfs_getattr() fails, potentially causing resource leakage and local impact. A kernel update fixing the refcount leak is provided by the referenced advisories ...

UBUNTU-CVE-2026-23093

In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbd: fix dmaunmapsg nents The dmaunmapsg functions should be called with the same nents as the dmamapsg, not the value the map function returned...

CVE-2026-23093 ksmbd: smbd: fix dma_unmap_sg() nents

In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbd: fix dmaunmapsg nents The dmaunmapsg functions should be called with the same nents as the dmamapsg, not the value the map function returned...

CVE-2026-23093

Summary (CVE-2026-23093) : In the Linux kernel, the ksmbd: smbd DMA unmapping path uses dma_unmap_sg() with a different number of entries than dma_map_sg(), which is the root cause of the vulnerability. The fix ensures dma_unmap_sg() is called with the same nents as dma_map_sg(). According to the...

Linux Distros Unpatched Vulnerability : CVE-2026-23093

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ksmbd: smbd: fix dmaunmapsg nents The dmaunmapsg functions should be called with the same nents as the dmamapsg, not the value the map function returned...

MiracleLinux 7 : samba-4.6.2-8.el7 (AXSA:2017-2069:04)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2017-2069:04 advisory. Samba is the standard Windows interoperability suite of programs for Linux and Unix. CVE-2017-9461 smbd in Samba before 4.4.10 and 4.5.x before 4.5.6 has a...

Astra Linux - уязвимость в linux-6.12

In the Linux kernel, the following vulnerability has been resolved: smb: client: let smbddestroy call disableworksync&info-postsendcreditswork In smbddestroy we may destroy the memory so we better wait until postsendcreditswork is no longer pending and will never be started again. I actually just...

SUSE CVE-2023-54260

In the Linux kernel, the following vulnerability has been resolved: cifs: Fix lost destroy smbd connection when MR allocate failed If the MR allocate failed, the smb direct connection info is NULL, then smbddestroy will directly return, then the connection info will be leaked. Let's set the smb...