ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-52996
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-24 17:17:10 UTC
Updated2026-06-24 17:17:10 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open ksmbd_lookup_fd_cguid() returns a ksmbd_file with its refcount incremented via ksmbd_fp_get(). parse_durable_handle_context() in the DURABLE_REQ_V2 case properly releases this reference on every path inside the ClientGUID-match branch, either by calling ksmbd_put_durable_fd() or by transferring ownership to dh_info->fp for a successful reconnect. However, when an entry exists in the global file table with the same CreateGuid but a different ClientGUID, the code simply falls through to the new-open path without dropping the reference obtained from ksmbd_lookup_fd_cguid(). Per MS-SMB2 section 3.3.5.9.10 ("Handling the SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 Create Context"), the server MUST locate an Open whose Open.CreateGuid matches the request's CreateGuid AND whose Open.ClientGuid matches the ClientGuid of the connection that received the request. If no such Open is found, the server MUST continue with the normal open execution phase. A CreateGuid hit with a ClientGUID mismatch is therefore the "Open not found" case: proceeding with a new open is correct, but the reference obtained purely as a side effect of the lookup must not be leaked. Repeated requests that hit this mismatch pin global_ft entries, prevent __ksmbd_close_fd() from ever running for the corresponding files, and defeat the durable scavenger, leading to long-lived resource leaks. Release the reference in the mismatch path and clear dh_info->fp so subsequent logic does not mistake a non-matching lookup result for a reconnect target.

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 8df4bcdb0a4232192b2445256c39b787d58ef14d 407b6e699ba8b45b72cc265eed8a1bc8a7191609 git Not specified
CNA Linux Linux affected c8efcc786146a951091588e5fa7e3c754850cb3c f31beef633fbf2b5af7805fa187a10bcff1d4b49 git Not specified
CNA Linux Linux affected c8efcc786146a951091588e5fa7e3c754850cb3c 06f709d0e531f3e54d88665dd426be3998a774e6 git Not specified
CNA Linux Linux affected c8efcc786146a951091588e5fa7e3c754850cb3c 8c4a0ef19c8264c150833131af34541495832cd0 git Not specified
CNA Linux Linux affected c8efcc786146a951091588e5fa7e3c754850cb3c 804054d19886ac6628883d82410f6ee42a818664 git Not specified
CNA Linux Linux affected 6.6.32 6.6.141 semver Not specified
CNA Linux Linux affected 6.9 Not specified
CNA Linux Linux unaffected 6.9 semver Not specified
CNA Linux Linux unaffected 6.6.141 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.91 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.33 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.10 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/06f709d0e531f3e54d88665dd426be3998a774e6 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/f31beef633fbf2b5af7805fa187a10bcff1d4b49 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/407b6e699ba8b45b72cc265eed8a1bc8a7191609 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/8c4a0ef19c8264c150833131af34541495832cd0 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/804054d19886ac6628883d82410f6ee42a818664 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report