ksmbd: fix use-after-free in smb2_open during durable reconnect_CVE-2026-53010

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in smb2_open during durable reconnect

In smb2_open, the call to ksmbd_put_durable_fd(fp) drops the reference
to the durable file descriptor early during the durable reconnect
process. If an error occurs subsequently (eg, ksmbd_iov_pin_rsp fails)
or a scavenger accesses the file, it leads to a use-after-free when
accessing fp properties (eg fp->create_time).

Move the single put to the end of the function below err_out2 so fp
stays valid until smb2_open returns.

AI Analysis

Use-after-free vulnerability in ksmbd during durable reconnect

Basic Information

ID CVE-2026-53010

Source Linux

Published Jun 24, 2026 at 16:29

Modified Jun 28, 2026 at 06:38

Affected Product

Vendor Linux

Product Linux

Version c8efcc786146a951091588e5fa7e3c754850cb3c

Affected Versions Linux Linux c8efcc786146a951091588e5fa7e3c754850cb3c
Linux Linux c8efcc786146a951091588e5fa7e3c754850cb3c
Linux Linux c8efcc786146a951091588e5fa7e3c754850cb3c
Linux Linux 8df4bcdb0a4232192b2445256c39b787d58ef14d
Linux Linux 6.6.32
Linux Linux 6.9

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Linux

Product ksmbd

Version c8efcc786146a951091588e5fa7e3c754850cb3c, 6.6.32, 6.9

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in smb2_open during durable reconnect\n\nIn smb2_open, the call to ksmbd_put_durable_fd(fp) drops the reference\nto the durable file descriptor early during the durable reconnect\nprocess. If an error occurs subsequently (eg, ksmbd_iov_pin_rsp fails)\nor a scavenger accesses the file, it leads to a use-after-free when\naccessing fp properties (eg fp->create_time).\n\nMove the single put to the end of the function below err_out2 so fp\nstays valid until smb2_open returns.",
    "published": "2026-06-24T16:29:21.211Z",
    "modified": "2026-06-28T06:38:01.524Z",
    "type": "cve",
    "title": "ksmbd: fix use-after-free in smb2_open during durable reconnect",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/ce2e164c1c51c3f7813b80f8c926836e896bcbb3\nhttps://git.kernel.org/stable/c/97a0cd55283b4e63fd92804da91c8d9896adcad9\nhttps://git.kernel.org/stable/c/1baff47b81f94f9231c91236aa511420d0e266b9",
    "id": "CVE-2026-53010",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux c8efcc786146a951091588e5fa7e3c754850cb3c\nLinux Linux c8efcc786146a951091588e5fa7e3c754850cb3c\nLinux Linux c8efcc786146a951091588e5fa7e3c754850cb3c\nLinux Linux 8df4bcdb0a4232192b2445256c39b787d58ef14d\nLinux Linux 6.6.32\nLinux Linux 6.9",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "c8efcc786146a951091588e5fa7e3c754850cb3c",
    "vendor": "Linux",
    "ai_description": "Use-after-free vulnerability in ksmbd during durable reconnect",
    "ai_severity": "Critical",
    "ai_vendor": "Linux",
    "ai_product": "ksmbd",
    "ai_version": "c8efcc786146a951091588e5fa7e3c754850cb3c, 6.6.32, 6.9",
    "ai_score": 9.8
}