CVE-2026-43376 Overview
CVE-2026-43376 is a use-after-free vulnerability [CWE-416] in the Linux kernel's ksmbd in-kernel SMB3 server. The flaw exists in oplock (opportunistic lock) handling, where the oplock_info structure is released with kfree() while concurrent readers still reference it inside Read-Copy-Update (RCU) read-side critical sections. The upstream fix replaces the immediate free with deferred reclamation through call_rcu().
The vulnerability affects multiple Linux kernel 6.15 release candidates and early 7.0 release candidates running ksmbd.
Critical Impact
Remote, unauthenticated attackers reaching the SMB service can trigger memory corruption in the kernel, potentially leading to denial of service or arbitrary code execution at the kernel privilege level.
Affected Products
- Linux kernel 6.15 (including rc3 through rc7)
- Linux kernel 7.0 release candidates (rc1, rc2, rc3)
- Systems with the ksmbd SMB server module enabled and exposed
Discovery Timeline
- 2026-05-08 - CVE-2026-43376 published to the National Vulnerability Database (NVD)
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43376
Vulnerability Analysis
The ksmbd kernel module implements an SMB3 file server inside the Linux kernel. To coordinate cache state between SMB clients, the server maintains per-file oplock_info structures that track the current opportunistic lock owner and state. Several code paths, including opinfo_get() and proc_show_files(), walk these structures inside RCU read-side critical sections.
Before the patch, ksmbd nullified the pointer to oplock_info and then immediately called kfree() on the structure. No RCU grace period separated the unlink from the free. A concurrent reader that had already obtained a pointer through RCU traversal could therefore dereference memory that the writer had already returned to the slab allocator.
The most direct impact is in opinfo_get(), which calls atomic_inc_not_zero() on the reference count of the oplock_info object. When that memory has been freed and reused, the atomic operation runs against attacker-influenced or recycled contents, corrupting kernel state.
Root Cause
The defect is an RCU lifetime mismatch. Writers used the synchronous kfree() path while readers relied on RCU semantics, violating the rule that any object reachable through an RCU-protected pointer must outlive all in-flight readers. The fix moves deallocation behind call_rcu(), deferring the free until after a grace period when no reader can hold a stale reference.
Attack Vector
Exploitation requires the ability to establish SMB sessions with a host running a vulnerable ksmbd build. An attacker opens files and manipulates oplock state to race the close and free paths against concurrent operations that traverse oplock_info under RCU. Successful races produce a use-after-free in kernel memory, which a skilled attacker can shape into a denial of service or, with additional primitives, kernel-mode code execution.
No public proof-of-concept exploit was listed for this CVE at publication, and it is not present in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability stands at 0.06%.
See the upstream commits for the source-level fix: Kernel Git Commit 08aa9f3, Kernel Git Commit 1d6abf1, Kernel Git Commit 1dfd062, Kernel Git Commit 302fef7, and Kernel Git Commit ce8507e.
Detection Methods for CVE-2026-43376
Indicators of Compromise
- Kernel oops or BUG: KASAN: use-after-free reports in dmesg referencing opinfo_get, proc_show_files, or ksmbd symbols.
- Unexpected ksmbd worker thread crashes, panics, or service restarts under SMB load.
- Anomalous SMB sessions performing rapid open/close cycles with oplock requests from a single client.
Detection Strategies
- Enable Kernel Address Sanitizer (KASAN) in test or canary kernels to catch use-after-free conditions in ksmbd paths.
- Audit running kernel versions across the fleet and flag any host where uname -r matches a vulnerable 6.15 or 7.0 release-candidate build with ksmbd loaded.
- Inspect lsmod | grep ksmbd and ss -tlnp to identify hosts exposing TCP 445 from the kernel SMB server rather than user-space Samba.
Monitoring Recommendations
- Forward kernel logs to a centralized data lake and alert on ksmbd, oplock, or KASAN substrings.
- Monitor inbound TCP 445 traffic from non-trusted networks to any Linux host and treat unexpected SMB exposure as a finding.
- Track abnormal kernel thread crashes and correlate them with SMB session telemetry to identify race-condition exploitation attempts.
How to Mitigate CVE-2026-43376
Immediate Actions Required
- Upgrade affected Linux hosts to a kernel build that includes the call_rcu() fix for oplock_info, as referenced in the upstream stable commits.
- Where patching is not immediately possible, unload the module with modprobe -r ksmbd and disable any ksmbd systemd units.
- Restrict inbound TCP 445 at the host and network firewall to known SMB clients only.
Patch Information
The vulnerability is resolved upstream by switching oplock_info deallocation to deferred RCU freeing using call_rcu(). Apply the kernel update that includes the relevant commits: 08aa9f3c8cf4, 1d6abf145615, 1dfd062caa16, 302fef75512b, and ce8507ee82c8. Distribution-maintained kernels should be updated through the standard package manager once vendor builds incorporating these commits are published.
Workarounds
- Disable the in-kernel ksmbd server and use user-space Samba (smbd) instead until the patched kernel is deployed.
- Block TCP 445 inbound at perimeter and host firewalls, and require VPN or zero-trust access for SMB clients.
- Limit ksmbd share exposure to authenticated, internal subnets and disable guest access in ksmbd.conf.
# Verify ksmbd status and disable until patched
lsmod | grep ksmbd
systemctl stop ksmbd.service
systemctl disable ksmbd.service
modprobe -r ksmbd
# Confirm running kernel and update
uname -r
sudo apt update && sudo apt upgrade linux-image-generic # Debian/Ubuntu
sudo dnf update kernel # RHEL/Fedora
# Block inbound SMB at the host firewall
sudo nft add rule inet filter input tcp dport 445 drop
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
