CRITICAL Published 2026-05-01

ksmbd Durable Handle UAF

CVE-2026-31718

CVSS 9.8 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

KernelScan AI9.8CRITICAL

01Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger When a durable file handle survives session disconnect (TCP close without SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the handle for later reconnection. However, it did not clean up the byte-range locks on fp->lock_list. Later, when the durable scavenger thread times out and calls __ksmbd_close_fd(NULL, fp), the lock cleanup loop did: spin_lock(&fp->conn->llist_lock); This caused a slab use-after-free because fp->conn was NULL and the original connection object had already been freed by ksmbd_tcp_disconnect(). The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were left dangling on the freed conn->lock_list while fp->conn was nulled out. To fix this issue properly, we need to handle the lifetime of smb_lock->clist across three paths: - Safely skip clist deletion when list is empty and fp->conn is NULL. - Remove the lock from the old connection's lock_list in session_fd_check() - Re-add the lock to the new connection's lock_list in ksmbd_reopen_durable_fd().

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A critical use-after-free vulnerability in the Linux kernel's SMB server (ksmbd) allows remote attackers to cause memory corruption by manipulating durable file handle cleanup during session disconnects. When SMB clients disconnect without proper logoff, the server fails to properly clean up byte-range locks, leading to access of freed memory when the cleanup thread runs. This could potentially lead to system crashes or code execution.

Affectedfs/smb/server/vfs_cache.c

Vulnerability analysis

Root Cause: When a durable SMB file handle survives session disconnect, session_fd_check() sets fp->conn = NULL to preserve the handle for later reconnection, but fails to clean up byte-range locks on fp->lock_list. Later, when the durable scavenger thread times out and calls __ksmbd_close_fd(NULL, fp), the lock cleanup loop attempts to access fp->conn->llist_lock, causing a use-after-free since fp->conn is NULL and the original connection object was already freed by ksmbd_tcp_disconnect().

Attack Surface: Network-accessible SMB server functionality. Requires ability to establish SMB connections and create durable file handles, then trigger session disconnects without proper SMB2_LOGOFF. The vulnerability is triggered by the durable scavenger thread timeout mechanism, making it exploitable through network manipulation of SMB sessions.

Fix Mechanism: The patch implements proper lifetime management for smb_lock->clist across three code paths: (1) In __ksmbd_close_fd(), safely skip clist deletion when the list is empty and fp->conn is NULL, (2) In session_fd_check(), remove locks from the old connection's lock_list before nulling fp->conn, and (3) In ksmbd_reopen_durable_fd(), re-add locks to the new connection's lock_list. This ensures symmetric cleanup and prevents dangling references.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.84	`e33c65f01198`
6.18	6.18.25	`3d6682726c2d`
6.6	6.6.140	`0000a7780e0e`
7.0	7.0.2	`b34fc42cfe92`
mainline	7.1-rc1	`235e32320a47`