14 matches found
CVE-2024-50152
CVE-2024-50152 corresponds to a Linux kernel SMB client double-free in smb2_set_ea(), addressed by fixes that reinitialize the local variable ea to NULL to prevent a second free after a failure path. The MiracleLinux AXSA-2025-10392 advisory explicitly notes a fix for this exact issue (CVE-2024-5...
CVE-2024-46736
CVE-2024-46736 relates to the Linux kernel SMB (CIFS) client path smb2_rename_path handling. The issue arises when smb2_set_path_attr() is called with a valid cfile and returns -EINVAL; the reference to @cfile is dropped by a prior smb2_compound_op(), which can lead to a double put of @cfile. The...
CVE-2024-46796
CVE-2024-46796 (Linux kernel CIFS SMB2 client) : The vulnerability is due to a double put of @cfile in smb2_set_path_size() when smb2_compound_op() returns -EINVAL, causing a use-after-free in a Kasan trace during CIFS detach. The fix calls cifs_get_writable_path() before retrying, preventing the...
CVE-2024-36965
Technical details for CVE-2024-36965 are not publicly provided in the supplied documents. Please monitor official advisories and connected feeds for affected products, versions, impact, and fixes.
CVE-2026-46155
CVE-2026-46155 affects the Linux kernel SMB client. The vulnerability is an out-of-bounds read in smb2_compound_op() caused by memcpy reading size[0] (OutputBufferLength) when iov_len is smaller than that length after a truncated server response. This can leak adjacent kernel heap memory. Impact ...
CVE-2026-31717
In the Linux kernel ksmbd, a vulnerability allows an authenticated user to hijack an orphaned durable handle by reconnecting with a different security context. The issue stems from ksmbd not verifying that the requester’s SecurityContext matches the original opener when a durable handle is reconn...
CVE-2025-71223
CVE-2025-71223 affects the Linux kernel's ksmbd SMB server path (smb2_open and ksmbd_vfs_getattr). The issue is a refcount leak when ksmbd_vfs_getattr() fails, potentially causing resource leakage and local impact. A kernel update fixing the refcount leak is provided by the referenced advisories ...
CVE-2026-43379
CVE-2026-43379 affects ksmbd (Linux kernel) with a use-after-free in smb_lazy_parent_lease_break_close. The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is accessed after rcu_read_unlock(), creating a race where the memory could be freed by a concurrent writer before subsequent de...
CVE-2026-23427
Summary: CVE-2026-23427 affects ksmbd in the Linux kernel and has been fixed to address a use-after-free in durable v2 replay of active SMB file handles. The root cause is that parse_durable_handle_context() unconditionally assigns dh_info->fp->conn to the current connection when handling D...
CVE-2026-31718
The CVE-2026-31718 entries describe a use-after-free in ksmbd (Linux kernel in-kernel SMB3 server) triggered when a durable file handle survives a session disconnect. The root cause is an asymmetric cleanup of lock state: byte-range locks left on a freed conn->lock_list after fp->conn is nu...
CVE-2026-31614
MODE C: CVE-2026-31614 is a kernel SMB client vulnerability (Linux kernel). The issue is an out-of-bounds read in check_wsl_eas() that can leak up to 8 bytes of kernel heap via the EA name/value handling, potentially affecting how WSL ext attributes are interpreted. Patches have been released/mer...
CVE-2026-31693
CVE-2026-31693 affects the Linux kernel CIFS implementation. The issue arises when replaying a request: certain local variables were not reinitialized after a replay label, which can cause unpredictable behavior and potentially denial of service or instability. The vulnerability is limited to the...
CVE-2025-71204
CVE-2025-71204 concerns the Linux kernel SMB server (ksmbd) due to a refcount leak in parse_durable_handle_context. The issue occurs when a replay operation returns -ENOEXE C and the file ksmbd_file refcount is not released, as described in the initial document. The provided connected documents d...
CVE-2026-53271
CVE-2026-53271 affects the Linux kernel ksmbd component. The vulnerability is a NULL-deref in oplock/lease break notifiers: smb2_oplock_break_noti() and smb2_lease_break_noti() read opinfo->conn into a local buffer without READ_ONCE and without a NULL check. After opinfo_get_list() drops ci-&g...