ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine

ksmbd_crypt_message() sets a NULL completion callback on AEAD requests
and does not handle the -EINPROGRESS return code from async hardware
crypto engines like the Qualcomm Crypto Engine (QCE). When QCE returns
-EINPROGRESS, ksmbd treats it as an error and immediately frees the
request while the hardware DMA operation is still in flight. The DMA
completion callback then dereferences freed memory, causing a NULL
pointer crash:

pc : qce_skcipher_done+0x24/0x174
lr : vchan_complete+0x230/0x27c
...
el1h_64_irq+0x68/0x6c
ksmbd_free_work_struct+0x20/0x118 [ksmbd]
ksmbd_exit_file_cache+0x694/0xa4c [ksmbd]

Use the standard crypto_wait_req() pattern with crypto_req_done() as
the completion callback, matching the approach used by the SMB client
in fs/smb/client/smb2ops.c. This properly handles both synchronous
engines (immediate return) and async engines (-EINPROGRESS followed
by callback notification).

AI Analysis

Use-after-free vulnerability in ksmbd due to incorrect handling of async crypto on Qualcomm crypto engine

Basic Information

ID CVE-2026-53046

Source Linux

Published Jun 24, 2026 at 16:29

Modified Jun 28, 2026 at 06:38

Affected Product

Vendor Linux

Product Linux

Version e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9

Affected Versions Linux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Linux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Linux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Linux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Linux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Linux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Linux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Linux Linux 5.15

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Linux

Product ksmbd

Version e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free from async crypto on Qualcomm crypto engine\n\nksmbd_crypt_message() sets a NULL completion callback on AEAD requests\nand does not handle the -EINPROGRESS return code from async hardware\ncrypto engines like the Qualcomm Crypto Engine (QCE). When QCE returns\n-EINPROGRESS, ksmbd treats it as an error and immediately frees the\nrequest while the hardware DMA operation is still in flight. The DMA\ncompletion callback then dereferences freed memory, causing a NULL\npointer crash:\n\n  pc : qce_skcipher_done+0x24/0x174\n  lr : vchan_complete+0x230/0x27c\n  ...\n  el1h_64_irq+0x68/0x6c\n  ksmbd_free_work_struct+0x20/0x118 [ksmbd]\n  ksmbd_exit_file_cache+0x694/0xa4c [ksmbd]\n\nUse the standard crypto_wait_req() pattern with crypto_req_done() as\nthe completion callback, matching the approach used by the SMB client\nin fs/smb/client/smb2ops.c. This properly handles both synchronous\nengines (immediate return) and async engines (-EINPROGRESS followed\nby callback notification).",
    "published": "2026-06-24T16:29:52.676Z",
    "modified": "2026-06-28T06:38:28.822Z",
    "type": "cve",
    "title": "ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/57b47231055b431ed0a1a55f33cac32981564405\nhttps://git.kernel.org/stable/c/cc2da381875d4a67026e4c8feb3dba51a2a2d1bc\nhttps://git.kernel.org/stable/c/8fcefe840fa8c14ce667768e5b043286ac3bbcbe\nhttps://git.kernel.org/stable/c/8ef183216feaa24b66b940510d8b68f680eb56e9\nhttps://git.kernel.org/stable/c/7164b3953cefd540e7ebca828c793bc6869cfbc4\nhttps://git.kernel.org/stable/c/b46aa129fa2807bfe1545fe74d9295d53c51520b\nhttps://git.kernel.org/stable/c/3e298897f41c61450c2e7a4f457e8b2485eb35b3",
    "id": "CVE-2026-53046",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9\nLinux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9\nLinux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9\nLinux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9\nLinux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9\nLinux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9\nLinux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9\nLinux Linux 5.15",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
    "vendor": "Linux",
    "ai_description": "Use-after-free vulnerability in ksmbd due to incorrect handling of async crypto on Qualcomm crypto engine",
    "ai_severity": "Critical",
    "ai_vendor": "Linux",
    "ai_product": "ksmbd",
    "ai_version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
    "ai_score": 9.8
}

ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine_CVE-2026-53046