Security Vulnerability Report
中文
CVE-2026-43379 CVSS 9.8 CRITICAL

CVE-2026-43379

Published: 2026-05-08 15:16:49
Last Modified: 2026-05-11 08:16:12
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close() opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is being accessed after rcu_read_unlock() has been called. This creates a race condition where the memory could be freed by a concurrent writer between the unlock and the subsequent pointer dereferences (opinfo->is_lease, etc.), leading to a use-after-free.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel (ksmbd module enabled, versions prior to fix commits)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC Concept for CVE-2026-43379 * This C code demonstrates the vulnerable logic in ksmbd. * The actual exploitation requires sending specific SMB packets * to trigger the race condition in the kernel. */ #include <linux/rcupdate.h> struct opinfo { int is_lease; // ... other fields }; struct file { struct opinfo *f_opinfo; }; // Simulated vulnerable function logic void smb_lazy_parent_lease_break_close_vulnerable(struct file *fp) { struct opinfo *opinfo; // 1. Read pointer under RCU protection rcu_read_lock(); opinfo = rcu_dereference(fp->f_opinfo); if (!opinfo) { rcu_read_unlock(); return; } // 2. Release RCU lock // VULNERABILITY: Lock is released too early rcu_read_unlock(); // 3. Access pointer after unlock // Race Condition: 'opinfo' might be freed by another thread here. // Accessing opinfo->is_lease leads to Use-After-Free. if (opinfo->is_lease) { // Dangerous access printk(KERN_INFO "Processing lease\n"); } }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43379", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:49.100", "lastModified": "2026-05-11T08:16:12.330", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in smb_lazy_parent_lease_break_close()\n\nopinfo pointer obtained via rcu_dereference(fp->f_opinfo) is being\naccessed after rcu_read_unlock() has been called. This creates a\nrace condition where the memory could be freed by a concurrent\nwriter between the unlock and the subsequent pointer dereferences\n(opinfo->is_lease, etc.), leading to a use-after-free."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/960699317d39f46611f4ebeb69edc567c1f4e6b6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b3568347c51c46e2cabc356bc34676df98296619", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bf4d66d72e4a9e268c1012c331ce9eaedb5e2086", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dbbd328cf58261ca239756fe1c0d10c9518d3399", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/eac3361e3d5dd8067b3258c69615888eb45e9f25", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.