ksmbd: scope conn->binding slowpath to bound sessions only_CVE-2026-52911

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: scope conn->binding slowpath to bound sessions only

When the binding SESSION_SETUP sets conn->binding = true, the flag stays
set after the call so that the global session lookup in
ksmbd_session_lookup_all() can find the session, which was not added to
conn->sessions. Because the flag is connection-wide, the global lookup
path will also resolve any other session by id if asked.

Tighten the global lookup so that the returned session must have this
connection registered in its channel xarray (sess->ksmbd_chann_list).
The channel entry is installed by the existing binding_session path in
ntlm_authenticate()/krb5_authenticate() when a SESSION_SETUP completes
successfully, so this condition is a strict equivalent of "this
connection has been accepted as a channel of this session". Connections
that have not bound to a given session cannot reach it via the global
table.

The existing conn->binding gate for entering the slowpath is preserved
so that non-binding connections keep the fast-path-only behavior, and
the session->state check is unchanged.

Basic Information

ID CVE-2026-52911

Source Linux

Published Jun 21, 2026 at 06:18

Modified Jun 28, 2026 at 06:36

Affected Product

Vendor Linux

Product Linux

Version f5a544e3bab78142207e0242d22442db85ba1eff

Affected Versions Linux Linux f5a544e3bab78142207e0242d22442db85ba1eff
Linux Linux f5a544e3bab78142207e0242d22442db85ba1eff
Linux Linux f5a544e3bab78142207e0242d22442db85ba1eff
Linux Linux f5a544e3bab78142207e0242d22442db85ba1eff
Linux Linux f5a544e3bab78142207e0242d22442db85ba1eff
Linux Linux f5a544e3bab78142207e0242d22442db85ba1eff
Linux Linux f5a544e3bab78142207e0242d22442db85ba1eff
Linux Linux 5.15

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: scope conn->binding slowpath to bound sessions only\n\nWhen the binding SESSION_SETUP sets conn->binding = true, the flag stays\nset after the call so that the global session lookup in\nksmbd_session_lookup_all() can find the session, which was not added to\nconn->sessions. Because the flag is connection-wide, the global lookup\npath will also resolve any other session by id if asked.\n\nTighten the global lookup so that the returned session must have this\nconnection registered in its channel xarray (sess->ksmbd_chann_list).\nThe channel entry is installed by the existing binding_session path in\nntlm_authenticate()/krb5_authenticate() when a SESSION_SETUP completes\nsuccessfully, so this condition is a strict equivalent of \"this\nconnection has been accepted as a channel of this session\". Connections\nthat have not bound to a given session cannot reach it via the global\ntable.\n\nThe existing conn->binding gate for entering the slowpath is preserved\nso that non-binding connections keep the fast-path-only behavior, and\nthe session->state check is unchanged.",
    "published": "2026-06-21T06:18:49.342Z",
    "modified": "2026-06-28T06:36:29.042Z",
    "type": "cve",
    "title": "ksmbd: scope conn->binding slowpath to bound sessions only",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/e74c00c6af428a39e564cdc5bd3a3648c6d8de87\nhttps://git.kernel.org/stable/c/e3a93ce6e25757b8f375e38b8f91e1d9da4edc1a\nhttps://git.kernel.org/stable/c/1ff46c9915c1cbf454db58a8cb87f7cac818e6a6\nhttps://git.kernel.org/stable/c/974c1c224e85549dc3459f3bb2255bbbdd2b9372\nhttps://git.kernel.org/stable/c/2cc8a4db633b10715450b291c1343859a4b2c509\nhttps://git.kernel.org/stable/c/1e2bec062c5c9ec282636715166056d0998d746d\nhttps://git.kernel.org/stable/c/b0da97c034b6107d14e537e212d4ce8b22109a58",
    "id": "CVE-2026-52911",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux f5a544e3bab78142207e0242d22442db85ba1eff\nLinux Linux f5a544e3bab78142207e0242d22442db85ba1eff\nLinux Linux f5a544e3bab78142207e0242d22442db85ba1eff\nLinux Linux f5a544e3bab78142207e0242d22442db85ba1eff\nLinux Linux f5a544e3bab78142207e0242d22442db85ba1eff\nLinux Linux f5a544e3bab78142207e0242d22442db85ba1eff\nLinux Linux f5a544e3bab78142207e0242d22442db85ba1eff\nLinux Linux 5.15",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "f5a544e3bab78142207e0242d22442db85ba1eff",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply