CRITICAL
smb OpenFile UAF
CVE-2026-45972
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.6HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF and double free in smb2_open_file() Zero out @err_iov and @err_buftype before retrying SMB2_open() to prevent an UAF bug if @data != NULL, otherwise a double free.
02KernelScan AI Analysis
Risk summary
Local users with low privileges can trigger use-after-free or double-free conditions in the SMB client when opening files with specific access patterns. This can lead to kernel memory corruption, privilege escalation, or system crashes on systems mounting SMB/CIFS shares.
Vulnerability analysis
The vulnerability occurs in smb2_open_file() when retrying SMB2_open() after an access denied error. The original code frees the response buffer via free_rsp_buf() but fails to zero out err_iov and reset err_buftype before the retry. On the retry path, if SMB2_open() does not repopulate these variables (e.g., when data != NULL), the stale pointer is reused, leading to a use-after-free or double-free of the kernel response buffer. The fix adds memset(&err_iov, 0, sizeof(err_iov)) and err_buftype = CIFS_NO_BUFFER before the retry to ensure clean state. This is reachable locally when performing file operations on a mounted SMB share that triggers the access-permission fallback.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.165 | 96e53bb3ee2f |
| 6.12 | 6.12.75 | 4d339b219004 |
| 6.18 | 6.18.14 | e66dcf7bb9c4 |
| 6.19 | 6.19.4 | 639deb962986 |
| 6.6 | 6.6.128 | 7425453ea16d |
| mainline | 7.0 | ebbbc4bfad4c |