From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B1C03EF0C8 for ; Fri, 8 May 2026 14:23:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250185; cv=none; b=gkI3qz7nadnI75RoTtUvx9eEjxoPB4CJd9SRo8YS91LVQ5T0Mz7uiHQocCdcL3S3SS4wA38B59IT/52zy8uLt7Q90SoPbw8YuBUB46OfqJKoD+P2g6HWgQmndcBn2s5kI3/PVI3k6z6QjvrnS4z8m92Bq72KFPLZCrmj6Ry0hIo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250185; c=relaxed/simple; bh=+wGzOXXG2oPBNfA44GJoX7zs5Y1xjFZzuCu+L8M+wZU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=FDJuluZoa5EjzdxK7fEvwAfIOoLdTh17Aw24IICCJi66Ql5btHD6JaZ+sYWR1bFr4oXO7bib2Q1NxNMq3/RNd2V/vruvb7BD/4vvr5tqAu9jD9/VkbFRMgUEWBOVeF//x+DQkZQN0tbMo9XaBBJWBULH9RVqnX0KJMduKjW+wGg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=SGpC8ooV; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="SGpC8ooV" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5CCACC2BCB0; Fri, 8 May 2026 14:23:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778250184; bh=+wGzOXXG2oPBNfA44GJoX7zs5Y1xjFZzuCu+L8M+wZU=; h=From:To:Cc:Subject:Date:Reply-To:From; b=SGpC8ooVntz5uq5ZTQyIoI5hN+sd2FrcmEGNd8o9da3ll+lIYtBj7bVeHwKmRSFBG sldGfcxKvf89ptkU8M+D7SMYFRGgqdpayzpjYYVdMOyXfGV3n5zSDRLo5k1YGx7ohz +vmwIOr7o+xiu/l5qxiYuX786Bnfh3EmWPStNKEQ= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43376: ksmbd: fix use-after-free by using call_rcu() for oplock_info Date: Fri, 8 May 2026 16:21:45 +0200 Message-ID: <2026050831-CVE-2026-43376-e32d@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3107; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=PGdPD7y2abWpkrWj6ude2khpqzTVkgerolF1Fq5Qqak=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P2bfnW10uXMm9wufCIWZJ06wLr5zn3v3pt+n4/7qt chW3pLk74hlYRBkYpAVU2T5so3n6P6KQ4pehranYeawMoEMYeDiFICJrPnCsOCgin1P6tO+awca p+9r1E+Wdy8Wesow3+fYZk/1F3fcI3l+bvIRWz7dK/jtewA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free by using call_rcu() for oplock_info ksmbd currently frees oplock_info immediately using kfree(), even though it is accessed under RCU read-side critical sections in places like opinfo_get() and proc_show_files(). Since there is no RCU grace period delay between nullifying the pointer and freeing the memory, a reader can still access oplock_info structure after it has been freed. This can leads to a use-after-free especially in opinfo_get() where atomic_inc_not_zero() is called on already freed memory. Fix this by switching to deferred freeing using call_rcu(). The Linux kernel CVE team has assigned CVE-2026-43376 to this issue. Affected and fixed versions =========================== Issue introduced in 6.6.88 with commit 296cb5457cc6f4a754c4ae29855f8a253d52bcc6 and fixed in 6.6.130 with commit 302fef75512b2c8329a3f5efab1ae7ba2562387a Issue introduced in 6.12.25 with commit d54ab1520d43e95f9b2e22d7a05fc9614192e5a5 and fixed in 6.12.78 with commit 08aa9f3c8cf4d0bee44df540dfe34e8d64069f2c Issue introduced in 6.15 with commit 18b4fac5ef17f77fed9417d22210ceafd6525fc7 and fixed in 6.18.19 with commit 1d6abf145615dbfe267ce3b0a271f95e3780e18e Issue introduced in 6.15 with commit 18b4fac5ef17f77fed9417d22210ceafd6525fc7 and fixed in 6.19.9 with commit ce8507ee82c888126d8e7565e27c016308d24cde Issue introduced in 6.15 with commit 18b4fac5ef17f77fed9417d22210ceafd6525fc7 and fixed in 7.0 with commit 1dfd062caa165ec9d7ee0823087930f3ab8a6294 Issue introduced in 6.14.4 with commit d73686367ad68534257cd88a36ca3c52cb8b81d8 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43376 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/smb/server/oplock.c fs/smb/server/oplock.h Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/302fef75512b2c8329a3f5efab1ae7ba2562387a https://git.kernel.org/stable/c/08aa9f3c8cf4d0bee44df540dfe34e8d64069f2c https://git.kernel.org/stable/c/1d6abf145615dbfe267ce3b0a271f95e3780e18e https://git.kernel.org/stable/c/ce8507ee82c888126d8e7565e27c016308d24cde https://git.kernel.org/stable/c/1dfd062caa165ec9d7ee0823087930f3ab8a6294