ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
Summary
| CVE | CVE-2026-53046 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-24 17:17:16 UTC |
| Updated | 2026-07-14 15:26:52 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine ksmbd_crypt_message() sets a NULL completion callback on AEAD requests and does not handle the -EINPROGRESS return code from async hardware crypto engines like the Qualcomm Crypto Engine (QCE). When QCE returns -EINPROGRESS, ksmbd treats it as an error and immediately frees the request while the hardware DMA operation is still in flight. The DMA completion callback then dereferences freed memory, causing a NULL pointer crash: pc : qce_skcipher_done+0x24/0x174 lr : vchan_complete+0x230/0x27c ... el1h_64_irq+0x68/0x6c ksmbd_free_work_struct+0x20/0x118 [ksmbd] ksmbd_exit_file_cache+0x694/0xa4c [ksmbd] Use the standard crypto_wait_req() pattern with crypto_req_done() as the completion callback, matching the approach used by the SMB client in fs/smb/client/smb2ops.c. This properly handles both synchronous engines (immediate return) and async engines (-EINPROGRESS followed by callback notification). |
Risk And Classification
Primary CVSS: v3.1 9.8 CRITICAL from 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.005310000 probability, percentile 0.411320000 (date 2026-07-14)
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | Secondary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 57b47231055b431ed0a1a55f33cac32981564405 git | Not specified |
| CNA | Linux | Linux | affected e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 cc2da381875d4a67026e4c8feb3dba51a2a2d1bc git | Not specified |
| CNA | Linux | Linux | affected e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 8fcefe840fa8c14ce667768e5b043286ac3bbcbe git | Not specified |
| CNA | Linux | Linux | affected e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 8ef183216feaa24b66b940510d8b68f680eb56e9 git | Not specified |
| CNA | Linux | Linux | affected e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 7164b3953cefd540e7ebca828c793bc6869cfbc4 git | Not specified |
| CNA | Linux | Linux | affected e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 b46aa129fa2807bfe1545fe74d9295d53c51520b git | Not specified |
| CNA | Linux | Linux | affected e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 3e298897f41c61450c2e7a4f457e8b2485eb35b3 git | Not specified |
| CNA | Linux | Linux | affected 5.15 | Not specified |
| CNA | Linux | Linux | unaffected 5.15 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.209 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.175 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.141 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.91 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.33 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.10 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/57b47231055b431ed0a1a55f33cac32981564405 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/8fcefe840fa8c14ce667768e5b043286ac3bbcbe | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/8ef183216feaa24b66b940510d8b68f680eb56e9 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/cc2da381875d4a67026e4c8feb3dba51a2a2d1bc | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/7164b3953cefd540e7ebca828c793bc6869cfbc4 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/3e298897f41c61450c2e7a4f457e8b2485eb35b3 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/b46aa129fa2807bfe1545fe74d9295d53c51520b | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.