Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-52944

CVE-2026-52944: Linux Kernel ksmbd Auth Bypass Vulnerability

CVE-2026-52944 is an authentication bypass vulnerability in the Linux kernel's ksmbd module affecting FSCTL_SET_SPARSE permission checks. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-52944 Overview

CVE-2026-52944 is a permission bypass vulnerability in the Linux kernel's ksmbd in-kernel SMB3 server. The flaw resides in the fsctl_set_sparse() function, which handles the FSCTL_SET_SPARSE control code. The function modifies a file's sparse attribute and persists it through extended attributes (xattr) without performing any permission checks.

The vulnerability allows authenticated SMB clients to alter file sparse attributes on read-only shares and to modify attributes on files when they lack FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES access rights. The issue has been resolved upstream through multiple stable kernel commits.

Critical Impact

Authenticated SMB clients can bypass share-level and handle-level access controls in ksmbd to modify file sparse attributes, violating the integrity guarantees of read-only shares.

Affected Products

  • Linux kernel ksmbd SMB3 server module
  • Linux distributions shipping vulnerable ksmbd versions
  • SMB file shares exported via ksmbd

Discovery Timeline

  • 2026-06-24 - CVE-2026-52944 published to NVD
  • 2026-06-24 - Last updated in NVD database

Technical Details for CVE-2026-52944

Vulnerability Analysis

The vulnerability is a broken access control flaw in the ksmbd kernel module. The fsctl_set_sparse() function processes the FSCTL_SET_SPARSE IOCTL request from SMB clients and updates the file's sparse attribute, storing the change persistently using xattr. The function omits both share-level and handle-level permission validation.

Other FSCTL write operations in ksmbd invoke test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE) to confirm the share permits writes. FSCTL_SET_SPARSE did not perform this check. Similar handle-level access checks for FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES exist elsewhere in the codebase but were absent in this code path.

Root Cause

The root cause is missing authorization logic in the FSCTL dispatch path. The function trusted client requests without verifying the security context of the tree connection or the file handle. This permitted state-modifying operations on resources the client should not be able to alter.

Attack Vector

An authenticated SMB client connects to a ksmbd share and opens a file using a handle that lacks write permissions, or connects to a share marked read-only. The client then issues an FSCTL_SET_SPARSE IOCTL through the SMB2 IOCTL request. The kernel updates the sparse flag and stores it via xattr, bypassing the intended access policy. The fix introduces both the share-level writable check and per-handle access check, and uses goto out on error to avoid leaking file references.

No public exploit code is available. See the Linux Kernel Commit 3127a884 and related upstream patches for the corrective changes.

Detection Methods for CVE-2026-52944

Indicators of Compromise

  • Unexpected modification of the sparse attribute on files hosted on ksmbd shares, observable via lsattr or getfattr output.
  • SMB2 IOCTL requests with the FSCTL_SET_SPARSE control code (0x000900C4) targeting files on shares configured as read-only.
  • xattr changes on files where the connecting SMB session lacked FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES rights.

Detection Strategies

  • Audit ksmbd traffic at the network layer for SMB2 IOCTL frames carrying the FSCTL_SET_SPARSE opcode and correlate with the tree connect share access mode.
  • Enable Linux audit rules on xattr write syscalls (setxattr, lsetxattr, fsetxattr) for paths exported by ksmbd and review activity from SMB worker threads.
  • Compare current kernel version against the patched commits referenced in the upstream advisory to identify vulnerable hosts.

Monitoring Recommendations

  • Collect and centralize ksmbd server logs along with kernel audit events for SMB share activity.
  • Track file integrity baselines on read-only shares and alert on attribute drift.
  • Monitor authentication and session events for SMB clients issuing high volumes of FSCTL requests.

How to Mitigate CVE-2026-52944

Immediate Actions Required

  • Update the Linux kernel to a version that includes the upstream fixes referenced in commits 3127a884, aef151bc, cc57232c, and de9eb0b4.
  • Identify all hosts running ksmbd and prioritize patching of systems exposing read-only shares to untrusted users.
  • If patching is delayed, disable the ksmbd module on hosts that do not require an SMB server.

Patch Information

The vulnerability is resolved upstream through four Linux kernel commits. Apply the patch from Linux Kernel Commit 3127a884, Linux Kernel Commit aef151bcf, Linux Kernel Commit cc57232ca, and Linux Kernel Commit de9eb0b44. The fix adds the share-level writable check and the per-handle FILE_WRITE_DATA / FILE_WRITE_ATTRIBUTES access check, and refactors the error path with goto out to release file references safely.

Workarounds

  • Replace ksmbd with samba userspace SMB server until the kernel is patched, where operationally feasible.
  • Restrict SMB access to trusted network segments using host firewalls and limit authenticated users on read-only shares.
  • Unload the ksmbd kernel module on hosts that do not actively serve SMB traffic with modprobe -r ksmbd.
bash
# Configuration example
# Check current kernel version against patched commits
uname -r

# Identify hosts running ksmbd
lsmod | grep ksmbd

# Disable the module if not required
sudo modprobe -r ksmbd
echo 'blacklist ksmbd' | sudo tee /etc/modprobe.d/disable-ksmbd.conf

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.