Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53271

CVE-2026-53271: Linux Kernel Privilege Escalation Flaw

CVE-2026-53271 is a privilege escalation vulnerability in the Linux kernel's ksmbd module that causes NULL pointer dereference. This post covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-53271 Overview

CVE-2026-53271 is a NULL pointer dereference vulnerability in the Linux kernel's ksmbd in-kernel SMB3 server. The flaw resides in smb2_oplock_break_noti() and smb2_lease_break_noti(), which read opinfo->conn into a local variable without using READ_ONCE() or performing a NULL check. A concurrent SMB2 LOGOFF processed by session_fd_check() can set op->conn = NULL after opinfo_get_list() has dropped ci->m_lock. The subsequent call to ksmbd_conn_r_count_inc(conn) then writes through a NULL pointer at offset 0xc4, producing a remotely triggerable kernel oops.

Critical Impact

An unauthenticated or authenticated SMB client can race oplock/lease break processing against session logoff to trigger a kernel NULL pointer dereference, causing a remote denial of service against any Linux host exposing ksmbd.

Affected Products

  • Linux kernel ksmbd SMB3 server module
  • Stable kernel branches addressed by commits 1ff58dc, 75e33de, 945a86b, b003086, and e735dba
  • Any Linux distribution shipping ksmbd with SMB2/SMB3 file sharing enabled

Discovery Timeline

  • 2026-06-25 - CVE-2026-53271 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-53271

Vulnerability Analysis

The defect is a classic concurrency-induced NULL pointer dereference in the kernel SMB server. ksmbd tracks oplocks and leases through struct oplock_info, which carries a conn pointer back to the originating ksmbd_conn. When the server must notify a client that an oplock or lease is being broken, oplock_break() walks the per-inode oplock list under ci->m_lock, then drops the lock before calling the break notifier functions.

During this window, another thread handling an SMB2 LOGOFF request can execute session_fd_check(), which clears op->conn while holding ci->m_lock. Because smb2_oplock_break_noti() and smb2_lease_break_noti() read opinfo->conn without READ_ONCE() and without a NULL guard, the notifier proceeds with a NULL conn. The first dereference occurs inside ksmbd_conn_r_count_inc(conn), which increments a reference counter located at offset 0xc4 in the connection structure, resulting in a kernel-mode write to address 0xc4 and an oops.

The condition is reachable over the network by any client that can establish an SMB2 session and trigger an oplock or lease break followed by a rapid LOGOFF.

Root Cause

The root cause is missing synchronization between the oplock break path and session teardown. opinfo_get_list() releases ci->m_lock before the notifier functions read opinfo->conn, while session_fd_check() mutates that field under the same lock. The result is a time-of-check time-of-use [TOCTOU] window where opinfo->conn can transition from a valid pointer to NULL between list traversal and notifier execution.

Attack Vector

A remote attacker who can speak SMB2/SMB3 to a vulnerable ksmbd instance can trigger the race by opening files with oplocks or leases, prompting the server to issue break notifications, then issuing concurrent SMB2 LOGOFF requests. Successful exploitation crashes the kernel and disrupts file sharing for all clients on that host. The vulnerability does not require special privileges beyond the ability to authenticate to the SMB service, and in some configurations guest sessions may suffice.

No public proof-of-concept code is referenced in the advisory. The upstream fix is published across kernel stable commits including Kernel Patch Commit 1ff58dc, Kernel Patch Commit 75e33de, Kernel Patch Commit 945a86b, Kernel Patch Commit b003086, and Kernel Patch Commit e735dba.

Detection Methods for CVE-2026-53271

Indicators of Compromise

  • Kernel oops messages referencing smb2_oplock_break_noti or smb2_lease_break_noti in dmesg or /var/log/kern.log.
  • NULL pointer dereference faults addressing offsets near 0xc4 originating from ksmbd_conn_r_count_inc.
  • Unexpected reboots or ksmbd worker thread crashes coinciding with SMB2 LOGOFF traffic bursts.

Detection Strategies

  • Monitor host telemetry for ksmbd kernel module faults and correlate with concurrent SMB session establishment and logoff events.
  • Inspect SMB traffic for clients that rapidly open files with oplock/lease requests and immediately issue LOGOFF, a pattern consistent with race triggering.
  • Track running kernel versions across the fleet to identify hosts that still expose unpatched ksmbd builds.

Monitoring Recommendations

  • Forward kernel facility syslog messages to a centralized log platform and alert on oops or panic events involving ksmbd symbols.
  • Capture SMB2 protocol metadata at network sensors to baseline normal session lifecycles and surface anomalous logoff bursts.
  • Audit which hosts have ksmbd loaded by checking lsmod | grep ksmbd and reviewing exposure on TCP port 445.

How to Mitigate CVE-2026-53271

Immediate Actions Required

  • Apply the upstream kernel patches referenced above or upgrade to a distribution kernel that includes the fix.
  • Restrict access to TCP port 445 on ksmbd hosts to trusted client networks until patching is complete.
  • Disable ksmbd on systems that do not require in-kernel SMB serving and use samba userspace alternatives where appropriate.

Patch Information

The fix mirrors the pattern already used by compare_guid_key(): read opinfo->conn with READ_ONCE() and return early when the pointer is NULL, before allocating the work struct, so no resources leak. A NULL conn indicates the client has disconnected and the break is no longer meaningful, so the notifier returns 0 and oplock_break() proceeds with normal teardown. The patch is distributed across stable branches in commits 1ff58dcfcab4, 75e33deda658, 945a86b21b40, b003086d7696, and e735dbd489e3.

Workarounds

  • Unload the ksmbd module with modprobe -r ksmbd on hosts that do not require SMB file sharing.
  • Block inbound SMB traffic at the host or network firewall to limit reachability of the vulnerable code path.
  • Require authenticated SMB sessions and disable guest access to reduce the attacker population able to reach the race window.
bash
# Verify ksmbd status and restrict exposure
lsmod | grep ksmbd
sudo systemctl stop ksmbd.service
sudo modprobe -r ksmbd

# Block SMB at the host firewall pending patch deployment
sudo iptables -A INPUT -p tcp --dport 445 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.