CVE Catalog

CVE-2026-53010

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.44%

35th percentile — higher than 35% of all known CVEs

Summary

A use-after-free vulnerability was found in the Linux kernel's ksmbd module in the smb2_open function during durable file descriptor reconnection. Premature release of the fp reference leads to accessing freed memory when accessing file properties like fp->create_time.

Risk Assessment

An attacker could exploit this vulnerability to achieve remote code execution or cause a system crash (DoS) by sending a crafted SMB2 request during durable reconnection.

Recommendation

Immediately update the Linux kernel to a version containing the fix that moves the ksmbd_put_durable_fd call to the end of the smb2_open function, below the err_out2 label.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in smb2_open during durable reconnect In smb2_open, the call to ksmbd_put_durable_fd(fp) drops the reference to the durable file descriptor early during the durable reconnect process. If an error occurs subsequently (eg, ksmbd_iov_pin_rsp fails) or a scavenger accesses the file, it leads to a use-after-free when accessing fp properties (eg fp->create_time). Move the single put to the end of the function below err_out2 so fp stays valid until smb2_open returns.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS