CVE-2026-43378 Overview
CVE-2026-43378 is a use-after-free vulnerability in the Linux kernel's in-kernel SMB server (ksmbd). The flaw resides in the smb2_open() function within the smb/server subsystem. The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is dereferenced after rcu_read_unlock(), creating a use-after-free window. An attacker capable of reaching the SMB service can trigger the race and access freed memory. The Linux kernel maintainers resolved the issue across multiple stable branches via the referenced git commits.
Critical Impact
Use-after-free in ksmbdsmb2_open() may allow memory corruption or kernel-level disruption on systems exposing SMB.
Affected Products
- Linux kernel smb/server (ksmbd) subsystem
- Stable kernel branches referenced in the upstream fix commits
- Systems exposing ksmbd to network clients
Discovery Timeline
- 2026-05-08 - CVE-2026-43378 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43378
Vulnerability Analysis
The vulnerability exists in the smb2_open() handler of ksmbd, the Linux kernel SMB3 server. During SMB2 open processing, the code retrieves an opinfo (oplock info) pointer using rcu_dereference(fp->f_opinfo) inside an RCU read-side critical section. The pointer is then dereferenced after rcu_read_unlock() has been called. Once the RCU read lock is released, the underlying opinfo object may be reclaimed by a concurrent path, leaving the original pointer dangling. Subsequent dereference reads or modifies freed kernel memory, classified as use-after-free [CWE-416].
Root Cause
The defect is an RCU usage error. RCU guarantees only that a referenced object remains valid while the read-side critical section is held. By extending pointer access beyond rcu_read_unlock() without taking an explicit reference (for example via a refcount on opinfo), the code violates RCU's lifetime contract. The upstream patches restructure the access pattern so that either the pointer is consumed inside the RCU section or a stable reference is acquired before unlocking.
Attack Vector
Exploitation requires the target to run ksmbd and accept SMB2 connections from the attacker. A client issues crafted SMB2 OPEN requests, potentially in parallel with operations that release the associated opinfo, to race the unlock and free. Successful triggering can corrupt kernel memory, crash the host, or, depending on heap layout, be leveraged for further memory-safety exploitation in kernel context. Authentication requirements depend on the share configuration of the target ksmbd instance.
No public proof-of-concept is referenced for CVE-2026-43378. Technical detail is available in the upstream fix commits, including kernel.org commit 1e689a5 and kernel.org commit 54b48ae.
Detection Methods for CVE-2026-43378
Indicators of Compromise
- Kernel oops or KASAN: use-after-free reports referencing smb2_open or ksmbd symbols in dmesg.
- Unexpected ksmbd.mountd or kernel thread crashes correlated with active SMB sessions.
- Repeated SMB2 CREATE/OPEN bursts from a single client preceding kernel instability.
Detection Strategies
- Enable KASAN on test or canary kernels to surface the use-after-free condition during fuzzing or production replay.
- Monitor kernel logs for stack traces containing smb2_open, rcu_dereference, or opinfo references.
- Inventory hosts running ksmbd and verify their kernel build against the patched stable commits.
Monitoring Recommendations
- Forward kernel ring buffer and journald events to a centralized log platform for crash correlation.
- Alert on anomalous SMB2 OPEN request rates and repeated session resets against Linux SMB servers.
- Track kernel package versions across the fleet to confirm patch deployment status.
How to Mitigate CVE-2026-43378
Immediate Actions Required
- Upgrade affected systems to a Linux kernel release that incorporates the upstream ksmbd fix commits.
- Restrict network exposure of ksmbd to trusted management networks until patches are applied.
- Disable ksmbd on hosts that do not require an in-kernel SMB server and use a user-space alternative if necessary.
Patch Information
The vulnerability is resolved in the Linux stable tree by the commits referenced in the NVD entry, including 190e5f8, 1e689a5, 54b48ae, 8f5b1a7, b720c84, and e1b21e6. Apply the distribution kernel update aligned with your stable branch.
Workarounds
- Unload the ksmbd module (modprobe -r ksmbd) on hosts where the service is not required.
- Block inbound TCP/445 at the host firewall for untrusted networks until the kernel is updated.
- Limit SMB share access to authenticated users and disable guest access to reduce the unauthenticated attack surface.
# Verify ksmbd status and block SMB at the host firewall until patched
lsmod | grep ksmbd
sudo systemctl stop ksmbd.service 2>/dev/null
sudo modprobe -r ksmbd
sudo iptables -I INPUT -p tcp --dport 445 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
