Home

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free by using call_rcu() for oplock_info ksmbd currently frees oplock_info immediately using kfree(), even though it is accessed under RCU read-side critical sections in places like opinfo_get() and proc_show_files(). Since there is no RCU grace period delay between nullifying the pointer and freeing the memory, a reader can still access oplock_info structure after it has been freed. This can leads to a use-after-free especially in opinfo_get() where atomic_inc_not_zero() is called on already freed memory. Fix this by switching to deferred freeing using call_rcu().

PUBLISHED Reserved 2026-05-01 | Published 2026-05-08 | Updated 2026-05-08 | Assigner Linux

Product status

Default status
unaffected

296cb5457cc6f4a754c4ae29855f8a253d52bcc6 (git) before 302fef75512b2c8329a3f5efab1ae7ba2562387a
affected

d54ab1520d43e95f9b2e22d7a05fc9614192e5a5 (git) before 08aa9f3c8cf4d0bee44df540dfe34e8d64069f2c
affected

18b4fac5ef17f77fed9417d22210ceafd6525fc7 (git) before 1d6abf145615dbfe267ce3b0a271f95e3780e18e
affected

18b4fac5ef17f77fed9417d22210ceafd6525fc7 (git) before ce8507ee82c888126d8e7565e27c016308d24cde
affected

18b4fac5ef17f77fed9417d22210ceafd6525fc7 (git) before 1dfd062caa165ec9d7ee0823087930f3ab8a6294
affected

d73686367ad68534257cd88a36ca3c52cb8b81d8 (git)
affected

Default status
affected

6.15
affected

Any version before 6.15
unaffected

6.6.130 (semver)
unaffected

6.12.78 (semver)
unaffected

6.18.19 (semver)
unaffected

6.19.9 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/302fef75512b2c8329a3f5efab1ae7ba2562387a

git.kernel.org/...c/08aa9f3c8cf4d0bee44df540dfe34e8d64069f2c

git.kernel.org/...c/1d6abf145615dbfe267ce3b0a271f95e3780e18e

git.kernel.org/...c/ce8507ee82c888126d8e7565e27c016308d24cde

git.kernel.org/...c/1dfd062caa165ec9d7ee0823087930f3ab8a6294

cve.org (CVE-2026-43376)

nvd.nist.gov (CVE-2026-43376)

Download JSON