{ "public_date" : "2026-04-03T00:00:00Z", "bugzilla" : { "description" : "kernel: ksmbd: fix use-after-free in durable v2 replay of active file handles", "id" : "2454817", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2454817" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nksmbd: fix use-after-free in durable v2 replay of active file handles\nparse_durable_handle_context() unconditionally assigns dh_info->fp->conn\nto the current connection when handling a DURABLE_REQ_V2 context with\nSMB2_FLAGS_REPLAY_OPERATION. ksmbd_lookup_fd_cguid() does not filter by\nfp->conn, so it returns file handles that are already actively connected.\nThe unconditional overwrite replaces fp->conn, and when the overwriting\nconnection is subsequently freed, __ksmbd_close_fd() dereferences the\nstale fp->conn via spin_lock(&fp->conn->llist_lock), causing a\nuse-after-free.\nKASAN report:\n[ 7.349357] ==================================================================\n[ 7.349607] BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x75/0xe0\n[ 7.349811] Write of size 4 at addr ffff8881056ac18c by task kworker/1:2/108\n[ 7.350010]\n[ 7.350064] CPU: 1 UID: 0 PID: 108 Comm: kworker/1:2 Not tainted 7.0.0-rc3+ #58 PREEMPTLAZY\n[ 7.350068] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 7.350070] Workqueue: ksmbd-io handle_ksmbd_work\n[ 7.350083] Call Trace:\n[ 7.350087] \n[ 7.350087] dump_stack_lvl+0x64/0x80\n[ 7.350094] print_report+0xce/0x660\n[ 7.350100] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 7.350101] ? __pfx___mod_timer+0x10/0x10\n[ 7.350106] ? _raw_spin_lock+0x75/0xe0\n[ 7.350108] kasan_report+0xce/0x100\n[ 7.350109] ? _raw_spin_lock+0x75/0xe0\n[ 7.350114] kasan_check_range+0x105/0x1b0\n[ 7.350116] _raw_spin_lock+0x75/0xe0\n[ 7.350118] ? __pfx__raw_spin_lock+0x10/0x10\n[ 7.350119] ? __call_rcu_common.constprop.0+0x25e/0x780\n[ 7.350125] ? close_id_del_oplock+0x2cc/0x4e0\n[ 7.350128] __ksmbd_close_fd+0x27f/0xaf0\n[ 7.350131] ksmbd_close_fd+0x135/0x1b0\n[ 7.350133] smb2_close+0xb19/0x15b0\n[ 7.350142] ? __pfx_smb2_close+0x10/0x10\n[ 7.350143] ? xas_load+0x18/0x270\n[ 7.350146] ? _raw_spin_lock+0x84/0xe0\n[ 7.350148] ? __pfx__raw_spin_lock+0x10/0x10\n[ 7.350150] ? _raw_spin_unlock+0xe/0x30\n[ 7.350151] ? ksmbd_smb2_check_message+0xeb2/0x24c0\n[ 7.350153] ? ksmbd_tree_conn_lookup+0xcd/0xf0\n[ 7.350154] handle_ksmbd_work+0x40f/0x1080\n[ 7.350156] process_one_work+0x5fa/0xef0\n[ 7.350162] ? assign_work+0x122/0x3e0\n[ 7.350163] worker_thread+0x54b/0xf70\n[ 7.350165] ? __pfx_worker_thread+0x10/0x10\n[ 7.350166] kthread+0x346/0x470\n[ 7.350170] ? recalc_sigpending+0x19b/0x230\n[ 7.350176] ? __pfx_kthread+0x10/0x10\n[ 7.350178] ret_from_fork+0x4fb/0x6c0\n[ 7.350183] ? __pfx_ret_from_fork+0x10/0x10\n[ 7.350185] ? __switch_to+0x36c/0xbe0\n[ 7.350188] ? __pfx_kthread+0x10/0x10\n[ 7.350190] ret_from_fork_asm+0x1a/0x30\n[ 7.350197] \n[ 7.350197]\n[ 7.355160] Allocated by task 123:\n[ 7.355261] kasan_save_stack+0x33/0x60\n[ 7.355373] kasan_save_track+0x14/0x30\n[ 7.355484] __kasan_kmalloc+0x8f/0xa0\n[ 7.355593] ksmbd_conn_alloc+0x44/0x6d0\n[ 7.355711] ksmbd_kthread_fn+0x243/0xd70\n[ 7.355839] kthread+0x346/0x470\n[ 7.355942] ret_from_fork+0x4fb/0x6c0\n[ 7.356051] ret_from_fork_asm+0x1a/0x30\n[ 7.356164]\n[ 7.356214] Freed by task 134:\n[ 7.356305] kasan_save_stack+0x33/0x60\n[ 7.356416] kasan_save_track+0x14/0x30\n[ 7.356527] kasan_save_free_info+0x3b/0x60\n[ 7.356646] __kasan_slab_free+0x43/0x70\n[ 7.356761] kfree+0x1ca/0x430\n[ 7.356862] ksmbd_tcp_disconnect+0x59/0xe0\n[ 7.356993] ksmbd_conn_handler_loop+0x77e/0xd40\n[ 7.357138] kthread+0x346/0x470\n[ 7.357240] ret_from_fork+0x4fb/0x6c0\n[ 7.357350] ret_from_fork_asm+0x1a/0x30\n[ 7.357463]\n[ 7.357513] The buggy address belongs to the object at ffff8881056ac000\n[ 7.357513] which belongs to the cache kmalloc-1k of size 1024\n[ 7.357857] The buggy address is located 396 bytes inside of\n[ 7.357857] freed 1024-byte region \n---truncated---", "A flaw was found in ksmbd, a component within the Linux kernel that provides server message block (SMB) functionality. This vulnerability, known as a use-after-free, occurs when the system attempts to access memory after it has been released. A remote attacker could exploit this by sending specially crafted SMB durable v2 replay requests. Successful exploitation could lead to a system crash, resulting in a denial of service, or potentially allow for arbitrary code execution." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23427\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23427\nhttps://lore.kernel.org/linux-cve-announce/2026040307-CVE-2026-23427-5456@gregkh/T" ], "name" : "CVE-2026-23427", "csaw" : false }