CRITICAL
ksmbd OpInfo UAF
CVE-2026-43379
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.5HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close() opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is being accessed after rcu_read_unlock() has been called. This creates a race condition where the memory could be freed by a concurrent writer between the unlock and the subsequent pointer dereferences (opinfo->is_lease, etc.), leading to a use-after-free.
02KernelScan AI Analysis
Risk summary
Network-based attackers with low privileges (authenticated SMB users) can trigger a use-after-free in the ksmbd SMB server through concurrent access to lease break operations. This could lead to kernel memory corruption, privilege escalation, or system crashes on systems running ksmbd for SMB file sharing.
Vulnerability analysis
The vulnerability occurs in smb_lazy_parent_lease_break_close() where an opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is accessed after rcu_read_unlock() has been called. This creates a race condition where the memory could be freed by a concurrent writer between the unlock and the subsequent pointer dereferences (opinfo->is_lease, etc.), leading to a use-after-free. The fix moves the pointer validation checks inside the RCU read-side critical section and ensures rcu_read_unlock() is called on all exit paths. This is a network-facing vulnerability; an attacker must have an authenticated SMB session to interact with ksmbd and win the race.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.78 | 960699317d39 |
| 6.18 | 6.18.19 | dbbd328cf582 |
| 6.19 | 6.19.9 | b3568347c51c |
| 6.6 | 6.6.130 | bf4d66d72e4a |
| mainline | 7.0 | eac3361e3d5d |