11 matches found
CVE-2024-57925
CVE-2024-57925 affects the Linux kernel’s ksmbd component. A NULL pointer returned by ksmbd_alloc_work_struct() in smb2_send_interim_resp() could allow an illegal memory write to in_work->response_buf during kzalloc() on the in_work structure. The connected documents confirm a fix that adds a ...
CVE-2025-22015
CVE-2025-22015 : In the Linux kernel, the vulnerability lies in mm/migrate where a shmem folio can be in page cache or swap cache but not both. The root cause is that __folio_migrate_mapping() used folio_test_swapbacked() to determine how many xarray entries to update, which conflates shmem in pa...
CVE-2024-50284
CVE-2024-50284 is a Linux kernel issue affecting ksmbd where missing xa_store error checking could fail the XArray storage, potentially enabling privilege/escalation in affected kernel code paths. The root cause is improper handling of xa_store() returning xa_err(-EINVAL) or xa_err(-ENOMEM). Publ...
CVE-2026-31705
The CVE-2026-31705 issue affects the ksmbd component of the Linux kernel, where an out-of-bounds write occurs in smb2_get_ea() during EA alignment padding. After writing each EA entry, a 4-byte alignment padding is applied with memset() unconditionally, potentially overwriting adjacent kernel hea...
CVE-2026-31432
CVE-2026-31432 affects the Linux kernel ksmbd component. Affected handling of compound requests (e.g., READ + QUERY_INFO(Security)) could allow an out-of-bounds write when the first READ command consumes most of the response buffer and ksmbd builds a security descriptor. The root cause is that sm...
CVE-2026-31478
The CVE-2026-31478 issue affects ksmbd in the Linux kernel. The root cause is an incorrect calculation of the response buffer length in smb2_calc_max_out_buf_len(), where a hardcoded hdr2_len was used instead of the correct offset to the Buffer field. The security advisories describe that after a...
CVE-2026-23220
CVE-2026-23220 – Linux kernel ksmbd infinite loop fix : In ksmbd, when a signed SMB2 request fails verification, __process_request() triggers an error path that calls set_smb2_rsp_status() and resets next_smb2_rcv_hdr_off to zero. This loses the pointer to the next command in the chain, so is_cha...
CVE-2025-40039
CVE-2025-40039 relates to the Linux kernel ksmbd subsystem. It describes a race condition in the RPC handle list (sess->rpc_handle_list) managed per ksmbd session. The underlying issue: in ksmbd_session_rpc_open(), xa_store() and xa_erase() modify the XArray but were guarded only by a read loc...
CVE-2025-71220
Technical details about CVE-2025-71220 (affected product/component/version, root cause, impact, fixes) are not publicly provided in the supplied documents. Monitor for updates from vendors and security bulletins.
CVE-2026-31433
CVE-2026-31433 affects the Linux kernel ksmbd module. A vulnerability arises when processing a compound SMB request of QUERY_DIRECTORY + QUERY_INFO (FILE_ALL_INFORMATION): the code lacked a validation check on the client-provided OutputBufferLength before copying a filename into the smb2_file_all...
CVE-2025-68817
The CVE-2025-68817 entry concerns a Linux kernel ksmbd issue: a use-after-free in ksmbd_tree_connect_put under concurrent disconnect paths. Under high concurrency, a tcon (tree-connection object) can be freed on disconnect while another path still holds a reference and may later call *_put() or w...