CVE-2026-53198

Source
https://cve.org/CVERecord?id=CVE-2026-53198
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53198.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53198
Downstream
Related
Published
2026-06-25T08:39:07.650Z
Modified
2026-07-08T08:07:24.480492652Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
Details

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free of a deferred filelock on double SMB2CANCEL

A deferred byte-range lock (an SMB2LOCK that blocks) registers an async work on conn->asyncrequests via setupasyncwork(), with cancelfn = smb2removeblockedlock and cancelargv[0] pointing at the struct filelock.

When the request is cancelled, the worker frees the filelock with locksfreelock() and takes the cancelled early-exit, which "goto out"s and never reaches releaseasyncwork() -- the only site that unlinks the work from conn->asyncrequests and clears cancelfn/cancelargv. The work therefore stays matchable on asyncrequests with a live cancelfn pointing at the freed filelock, until connection teardown finally runs releaseasync_work().

smb2cancel() fires cancelfn unconditionally with no state guard, so a second SMB2CANCEL for the same AsyncId, arriving in that window, re-runs smb2removeblockedlock() on the freed file_lock -- a slab use-after-free:

BUG: KASAN: slab-use-after-free in __locksdeleteblock __locksdeleteblock locksdeleteblock ksmbdvfsposixlockunblock smb2removeblockedlock smb2cancel <- 2nd SMB2CANCEL fires cancelfn handleksmbdwork Allocated by ...: locksalloclock <- smb2lock Freed by ...: locksfreelock <- smb2lock (cancelled branch) ... cache filelockcache of size 192

Reproduced on mainline with KASAN by an authenticated SMB client.

Skip a work whose state is already KSMBDWORKCANCELLED so its cancel callback cannot be fired a second time.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53198.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Fixed
b7063c7426ea5a4d15e01b60538718765392f49d
Fixed
0da2e073f9cbf4985a0fd9acb71bc5ff599f8afd
Fixed
89ae9df09d2c1fb4a4eb495c113a7ce1dca34147
Fixed
14d2eee0193ac3cd1bf3d014373449f0b8d35d6d
Fixed
2b2eda2821cff1d1b5a423b6ee7d8fc6fbc8e694
Fixed
f580d27e8928828693df44ba2db0fffdbe11dfea

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53198.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.15.0
Fixed
6.1.176
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.143
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53198.json"