CRITICAL
smb OpInfo UAF
CVE-2026-43378
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.5HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: smb: server: fix use-after-free in smb2_open() The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is dereferenced after rcu_read_unlock(), creating a use-after-free window.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in the SMB server's file open handling could allow authenticated SMB clients to cause kernel crashes or potentially execute arbitrary code. Systems running SMB servers are at risk, particularly those exposed to untrusted networks or serving multiple tenants.
Vulnerability analysis
The vulnerability occurs in smb2_open() where an opinfo pointer obtained via RCU dereference is used after the RCU read lock is released, creating a use-after-free window. The fix replaces the unsafe RCU pattern with proper reference counting using opinfo_get()/opinfo_put(). This is network-reachable through SMB connections but requires authenticated access and specific timing to exploit.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.167 | e1b21e606661 |
| 6.12 | 6.12.78 | 54b48ae83de8 |
| 6.18 | 6.18.19 | 8f5b1a7cb009 |
| 6.19 | 6.19.9 | 190e5f808e80 |
| 6.6 | 6.6.130 | b720c84087cb |
| mainline | 7.0 | 1e689a561738 |