CVE-2026-23226 How a Missing Lock in ksmbd's Channel List Exposes Your Linux SMB3 Server
CVE-2026-23226: A Critical Vulnerability in ksmbd
The Orca Security Research Pod has uncovered a significant vulnerability in the Linux kernel’s ksmbd SMB3 server, identified as CVE-2026-23226. This issue arises from a use-after-free race condition when two connections share a session over SMB3 multichannel. This flaw allows the kernel to read a freed channel struct, which exposes the per-channel AES-128-CMAC signing key and can lead to a kernel panic.
Key Details:
- Vulnerability Score: CVSS score of 7.5 (High)
- Access Requirements: An attacker must have valid SMB credentials and network access to port 445.
- Classification: CWE-416 (Use After Free) and CWE-362 (Race Condition).
Exploit Complexity
The exploit complexity is rated as High due to the race condition, with approximately 1 successful exploit per 750 attempts. A Proof of Concept (PoC) has been developed and confirmed by the Orca Security Research Pod. The fix has been merged (commit e4a8a96a93d), so it is crucial to update your kernel.
Background on ksmbd
ksmbd, which was integrated into the mainline Linux kernel in version 5.15 (November 2021), implements the SMB2/3 protocol entirely within the kernel for enhanced performance. However, this architectural choice has security implications: a vulnerability in ksmbd represents a kernel vulnerability, potentially leading to full machine takeover.
Historical Context
This bug was introduced in commit 1d9c4172110e (December 2023) when the channel list was converted to an XArray without proper synchronization. Notably, ksmbd has faced several serious bugs since its merge, often due to inadequate locking in complex concurrent state management.
Understanding the Vulnerability
To grasp the severity of CVE-2026-23226, it’s essential to understand that SMB3 Multichannel allows a single authenticated SMB session to utilize multiple TCP connections simultaneously. This spreads I/O across various network interfaces, enhancing throughput. The vulnerability lies in the ksmbd_session object, which tracks all active TCP connections as channels stored in the ksmbd_chann_list XArray.
The core issue is that while two out of three XArrays received locks, the channel list was left unprotected, leading to this oversight. Operations such as xa_load() and xa_erase() are not safe to execute simultaneously from different threads without external locking.
Conclusion
This vulnerability highlights the critical need for robust locking mechanisms in concurrent state management within kernel-level implementations. For further details, please refer to the full article.