CVE-2026-23226: Use-After-Free in Linux Kernel ksmbd Multi-Channel Sessions
Vulnerability ID: CVE-2026-23226
CVSS Score: 8.8
Published: 2026-02-18
CVE-2026-23226 is a high-severity use-after-free vulnerability in the Linux kernel's in-kernel SMB server (ksmbd). The flaw arises from a missing synchronization lock in the multi-channel session management code, specifically within the ksmbd_chann_list xarray. Successful exploitation allows an authenticated network attacker to achieve arbitrary code execution, kernel panics, or information disclosure.
TL;DR
A missing lock in the Linux kernel's ksmbd module allows authenticated attackers to trigger a use-after-free via concurrent SMB multi-channel requests, leading to kernel-level code execution or denial of service.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-416
- Attack Vector: Network (AV:N)
- CVSS v3.1: 8.8
- EPSS Score: 0.00021
- Impact: Remote Code Execution / DoS
- Exploit Status: Proof of Concept
- KEV Status: Not Listed
Affected Systems
- Linux Kernel ksmbd module
-
Linux Kernel: >= 6.3, < 6.18.11 (Fixed in:
6.18.11) -
Linux Kernel: >= 6.19, < 6.19.1 (Fixed in:
6.19.1)
Code Analysis
Commit: 36ef605
Introduces rw_semaphore to protect ksmbd_chann_list xarray operations.
Commit: 4c2ca31
Fixes concurrent access issues in ksmbd session multi-channel management.
Commit: 4f3a06c
Additional synchronization adjustments for ksmbd channel lists.
Commit: e4a8a96
Resolves use-after-free race condition in lookup_chann_list and ksmbd_chann_del.
Mitigation Strategies
- Upgrade the Linux kernel to version 6.18.11, 6.19.1, or newer.
- Disable SMB multi-channel support in the ksmbd configuration if patching is not possible.
- Unload the ksmbd kernel module if the system does not require in-kernel SMB server functionality.
- Restrict network access to port TCP 445 to trusted subnets via firewall rules.
Remediation Steps:
- Verify the current kernel version using
uname -r. - If the version falls within 6.3 and 6.18.10, schedule a maintenance window.
- Install the updated kernel packages provided by the Linux distribution maintainers.
- Reboot the system to load the patched kernel.
- Verify the patch was successful by checking the kernel version post-reboot.
References
- NVD Vulnerability Detail
- Orca Security Analysis: How a Missing Lock in ksmbd's Channel List Exposes Your Linux SMB3 Server
- SentinelOne Vulnerability Database Advisory
Read the full report for CVE-2026-23226 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)