CVE-2023-3866

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-3866
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-3866.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-3866
Downstream
Published
2025-08-16T13:27:57.332Z
Modified
2026-02-13T11:10:18.090734Z
Summary
ksmbd: validate session id and tree id in the compound request
Details

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: validate session id and tree id in the compound request

This patch validate session id and tree id in compound request. If first operation in the compound is SMB2 ECHO request, ksmbd bypass session and tree validation. So work->sess and work->tcon could be NULL. If secound request in the compound access work->sess or tcon, It cause NULL pointer dereferecing error.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/3xxx/CVE-2023-3866.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0626e6641f6b467447c81dd7678a69c66f7746cf
Fixed
eb947403518ea3d93f6d89264bb1f5416bb0c7d0
Fixed
854156d12caa9d36de1cf5f084591c7686cc8a9d
Fixed
d1066c1b3663401cd23c0d6e60cdae750ce00c0f
Fixed
5005bcb4219156f1bf7587b185080ec1da08518e

Affected versions

v5.*
v5.13
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.100
v5.15.101
v5.15.102
v5.15.103
v5.15.104
v5.15.105
v5.15.106
v5.15.107
v5.15.108
v5.15.109
v5.15.11
v5.15.110
v5.15.111
v5.15.112
v5.15.113
v5.15.114
v5.15.115
v5.15.116
v5.15.117
v5.15.118
v5.15.119
v5.15.12
v5.15.120
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.46
v5.15.47
v5.15.48
v5.15.49
v5.15.5
v5.15.50
v5.15.51
v5.15.52
v5.15.53
v5.15.54
v5.15.55
v5.15.56
v5.15.57
v5.15.58
v5.15.59
v5.15.6
v5.15.60
v5.15.61
v5.15.62
v5.15.63
v5.15.64
v5.15.65
v5.15.66
v5.15.67
v5.15.68
v5.15.69
v5.15.7
v5.15.70
v5.15.71
v5.15.72
v5.15.73
v5.15.74
v5.15.75
v5.15.76
v5.15.77
v5.15.78
v5.15.79
v5.15.8
v5.15.80
v5.15.81
v5.15.82
v5.15.83
v5.15.84
v5.15.85
v5.15.86
v5.15.87
v5.15.88
v5.15.89
v5.15.9
v5.15.90
v5.15.91
v5.15.92
v5.15.93
v5.15.94
v5.15.95
v5.15.96
v5.15.97
v5.15.98
v5.15.99
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.3.7
v6.3.8
v6.3.9
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-3866.json"
vanir_signatures 
[
    {
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@854156d12caa9d36de1cf5f084591c7686cc8a9d",
        "digest": {
            "line_hashes": [
                "267242770938056707685734820599829800749",
                "291800898915931027443665200663440822535",
                "1284858620700519204524976307979858318",
                "287456224673710019090457876668619593140",
                "200216563264256439142659459251517555664",
                "99908170931663940424761157640203870596",
                "27741602090142187058648638301037587493",
                "291813553625938596167011780204210591299",
                "48986189948527503971952488597098366038",
                "71213142967054930950841377869500280622",
                "67449277874346076267028449647186358003",
                "18558859952585831897674541591496019890",
                "158237971288520947933486848813701798441",
                "150121467915037224418266654940488836124",
                "270131202633379580848013588943467073525",
                "134424682372636945666866844109924004751",
                "338658923237748833725704714425239532555",
                "47798365528593122425948200981551362332",
                "257514322129342949052191618997009976472",
                "131125023786940800632023894110445593396",
                "133386468890301905080126437118760078992",
                "78295184216052625710784499611708833663",
                "190462755204058514606693048621684279676",
                "277765686370586621393294564203138825910",
                "5609077463187768930044564356096404188",
                "239534310717662232206936298640361912316"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2023-3866-20ce6acf",
        "deprecated": false,
        "target": {
            "file": "fs/ksmbd/smb2pdu.c"
        }
    },
    {
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@854156d12caa9d36de1cf5f084591c7686cc8a9d",
        "digest": {
            "line_hashes": [
                "19377509034539034966105917485935205732",
                "296426338255953836383852185467717717033",
                "170138534016413696835862443013351789014",
                "336060456380232932285749309586024813973",
                "118683840042434214708825899470617812721",
                "239587488263740324810916160248675910279",
                "134738505580861096318761602512464798577",
                "238302778316225268898378557513033399366",
                "121831217648899347259694606151718407508",
                "67039376667685660764847743763588385106",
                "328319207426412413267213728004270223561",
                "8532172087941725979342575608489578276",
                "236726211491082952308401550505440857813",
                "290840767088519689156318632112194810364",
                "204875600737447811316108661738911348082",
                "260524006171949445179576645680397931947",
                "8127631615736030531485837480603898204",
                "252574485712969882390480168183888526887",
                "301704517585018280066019842031034975450",
                "131957988345946097008730356141031115397"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2023-3866-2ea38f9b",
        "deprecated": false,
        "target": {
            "file": "fs/ksmbd/server.c"
        }
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@854156d12caa9d36de1cf5f084591c7686cc8a9d",
        "digest": {
            "function_hash": "2877946218821253804395747297594387326",
            "length": 643.0
        },
        "id": "CVE-2023-3866-4032cf20",
        "deprecated": false,
        "target": {
            "file": "fs/ksmbd/smb2pdu.c",
            "function": "smb2_get_ksmbd_tcon"
        }
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@854156d12caa9d36de1cf5f084591c7686cc8a9d",
        "digest": {
            "function_hash": "1039125785357466364743701976815573287",
            "length": 1861.0
        },
        "id": "CVE-2023-3866-b795f845",
        "deprecated": false,
        "target": {
            "file": "fs/ksmbd/server.c",
            "function": "__handle_ksmbd_work"
        }
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@854156d12caa9d36de1cf5f084591c7686cc8a9d",
        "digest": {
            "function_hash": "51658026496125893869267915930610721970",
            "length": 551.0
        },
        "id": "CVE-2023-3866-f20da448",
        "deprecated": false,
        "target": {
            "file": "fs/ksmbd/smb2pdu.c",
            "function": "smb2_check_user_session"
        }
    }
]

Git / github.com/gregkh/linux

Affected ranges

Type
GIT
Repo
https://github.com/gregkh/linux
Events
Introduced
c9c3395d5e3dcc6daee66c6908354d47bf98cb0c
Fixed
28ae0a748c161ed01e2f43018beb978c74e12a0d
Introduced
dc7089468610f429e9264420c43d5a3625fd5d8b
Fixed
46f504b49ab970ce3a93d45b8e2051b9d50ab5b2
Introduced
df0cc57e057f18e44dac8e6c18aba47ab53202f9
Fixed
a1c449d00ff8ce2c5fcea5f755df682d1f6bc2ef

Affected versions

v5.*
v5.16
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.2
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.3.7
v6.3.8
v6.3.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-3866.json"