ksmbd: fix use-after-free by using call_rcu() for oplock_info_CVE-2026-43376

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free by using call_rcu() for oplock_info

ksmbd currently frees oplock_info immediately using kfree(), even
though it is accessed under RCU read-side critical sections in places
like opinfo_get() and proc_show_files().

Since there is no RCU grace period delay between nullifying the pointer
and freeing the memory, a reader can still access oplock_info
structure after it has been freed. This can leads to a use-after-free
especially in opinfo_get() where atomic_inc_not_zero() is called on
already freed memory.

Fix this by switching to deferred freeing using call_rcu().

Basic Information

ID CVE-2026-43376

Source Linux

Published May 8, 2026 at 14:21

Modified May 11, 2026 at 06:33

Affected Product

Vendor Linux

Product Linux

Version 296cb5457cc6f4a754c4ae29855f8a253d52bcc6

Affected Versions Linux Linux 296cb5457cc6f4a754c4ae29855f8a253d52bcc6
Linux Linux d54ab1520d43e95f9b2e22d7a05fc9614192e5a5
Linux Linux 18b4fac5ef17f77fed9417d22210ceafd6525fc7
Linux Linux 18b4fac5ef17f77fed9417d22210ceafd6525fc7
Linux Linux 18b4fac5ef17f77fed9417d22210ceafd6525fc7
Linux Linux d73686367ad68534257cd88a36ca3c52cb8b81d8
Linux Linux 6.15

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free by using call_rcu() for oplock_info\n\nksmbd currently frees oplock_info immediately using kfree(), even\nthough it is accessed under RCU read-side critical sections in places\nlike opinfo_get() and proc_show_files().\n\nSince there is no RCU grace period delay between nullifying the pointer\nand freeing the memory, a reader can still access oplock_info\nstructure after it has been freed. This can leads to a use-after-free\nespecially in opinfo_get() where atomic_inc_not_zero() is called on\nalready freed memory.\n\nFix this by switching to deferred freeing using call_rcu().",
    "published": "2026-05-08T14:21:25.854Z",
    "modified": "2026-05-11T06:33:55.017Z",
    "type": "cve",
    "title": "ksmbd: fix use-after-free by using call_rcu() for oplock_info",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/302fef75512b2c8329a3f5efab1ae7ba2562387a\nhttps://git.kernel.org/stable/c/08aa9f3c8cf4d0bee44df540dfe34e8d64069f2c\nhttps://git.kernel.org/stable/c/1d6abf145615dbfe267ce3b0a271f95e3780e18e\nhttps://git.kernel.org/stable/c/ce8507ee82c888126d8e7565e27c016308d24cde\nhttps://git.kernel.org/stable/c/1dfd062caa165ec9d7ee0823087930f3ab8a6294",
    "id": "CVE-2026-43376",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 296cb5457cc6f4a754c4ae29855f8a253d52bcc6\nLinux Linux d54ab1520d43e95f9b2e22d7a05fc9614192e5a5\nLinux Linux 18b4fac5ef17f77fed9417d22210ceafd6525fc7\nLinux Linux 18b4fac5ef17f77fed9417d22210ceafd6525fc7\nLinux Linux 18b4fac5ef17f77fed9417d22210ceafd6525fc7\nLinux Linux d73686367ad68534257cd88a36ca3c52cb8b81d8\nLinux Linux 6.15",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "296cb5457cc6f4a754c4ae29855f8a253d52bcc6",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply