ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-52944
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-24 10:17:19 UTC
Updated2026-06-24 10:17:19 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE FSCTL_SET_SPARSE in fsctl_set_sparse() modifies the file's sparse attribute and saves it through xattr without any permission checks. This exposes two issues: 1) A client on a read-only share can change the sparse attribute on files it opened, even though the share is read-only. Other FSCTL write operations already check test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE), but FSCTL_SET_SPARSE does not. 2) Even on writable shares, clients without FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES access should not modify the sparse attribute. Similar handle-level checks exist in other functions but are missing here. Add both share-level writable check and per-handle access check. Use goto out on error to avoid leaking file references.

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 3127a884525dc8ca4def73254bfcd3ccef0bf812 git Not specified
CNA Linux Linux affected e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 de9eb0b44fa9123170e6245b49638e0e453c10f8 git Not specified
CNA Linux Linux affected e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 aef151bcfa494bfe983669de2726734b534adb73 git Not specified
CNA Linux Linux affected e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 cc57232cae23c0df91b4a59d0f519141ce9b5b02 git Not specified
CNA Linux Linux affected 5.15 Not specified
CNA Linux Linux unaffected 5.15 semver Not specified
CNA Linux Linux unaffected 6.6.143 6.6.* semver Not specified
CNA Linux Linux unaffected 6.18.35 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.12 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/de9eb0b44fa9123170e6245b49638e0e453c10f8 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/cc57232cae23c0df91b4a59d0f519141ce9b5b02 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/aef151bcfa494bfe983669de2726734b534adb73 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/3127a884525dc8ca4def73254bfcd3ccef0bf812 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report