{"api_version":"1","generated_at":"2026-04-23T08:15:02+00:00","cve":"CVE-2026-23220","urls":{"html":"https://cve.report/CVE-2026-23220","api":"https://cve.report/api/cve/CVE-2026-23220.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-23220","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-23220"},"summary":{"title":"ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths\n\nThe problem occurs when a signed request fails smb2 signature verification\ncheck. In __process_request(), if check_sign_req() returns an error,\nset_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called.\nset_smb2_rsp_status() set work->next_smb2_rcv_hdr_off as zero. By resetting\nnext_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain\nis lost. Consequently, is_chained_smb2_message() continues to point to\nthe same request header instead of advancing. If the header's NextCommand\nfield is non-zero, the function returns true, causing __handle_ksmbd_work()\nto repeatedly process the same failed request in an infinite loop.\nThis results in the kernel log being flooded with \"bad smb2 signature\"\nmessages and high CPU usage.\n\nThis patch fixes the issue by changing the return value from\nSERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that\nthe processing loop terminates immediately rather than attempting to\ncontinue from an invalidated offset.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-02-18 16:22:31","updated_at":"2026-04-18 09:16:14"},"problem_types":["CWE-835"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/5accdc5b7f28a81bbc5880ac0b8886e60c86e8c8","name":"https://git.kernel.org/stable/c/5accdc5b7f28a81bbc5880ac0b8886e60c86e8c8","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/544adb0a6658ea1bff4064723761dbf05f95b1e2","name":"https://git.kernel.org/stable/c/544adb0a6658ea1bff4064723761dbf05f95b1e2","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/fb3b66bd72deb5543addaefa67963b34fb163a7b","name":"https://git.kernel.org/stable/c/fb3b66bd72deb5543addaefa67963b34fb163a7b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/010eb01ce23b34b50531448b0da391c7f05a72af","name":"https://git.kernel.org/stable/c/010eb01ce23b34b50531448b0da391c7f05a72af","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f7b1c2f5642bbd60b1beef1f3298cbac81eb232c","name":"https://git.kernel.org/stable/c/f7b1c2f5642bbd60b1beef1f3298cbac81eb232c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/9135e791ec2709bcf0cda0335535c74762489498","name":"https://git.kernel.org/stable/c/9135e791ec2709bcf0cda0335535c74762489498","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/71b5e7c528315ca360a1825a4ad2f8ae48c5dc16","name":"https://git.kernel.org/stable/c/71b5e7c528315ca360a1825a4ad2f8ae48c5dc16","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-23220","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23220","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4b9b7ea1ffb1e34f01fa5726d0c184931b9ba565 544adb0a6658ea1bff4064723761dbf05f95b1e2 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 943cebf9ea3415ddefcd670d24d8883e97ba3d60 fb3b66bd72deb5543addaefa67963b34fb163a7b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected be0f89d4419dc5413a1cf06db3671c9949be0d52 5accdc5b7f28a81bbc5880ac0b8886e60c86e8c8 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected be0f89d4419dc5413a1cf06db3671c9949be0d52 f7b1c2f5642bbd60b1beef1f3298cbac81eb232c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected be0f89d4419dc5413a1cf06db3671c9949be0d52 71b5e7c528315ca360a1825a4ad2f8ae48c5dc16 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected be0f89d4419dc5413a1cf06db3671c9949be0d52 9135e791ec2709bcf0cda0335535c74762489498 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected be0f89d4419dc5413a1cf06db3671c9949be0d52 010eb01ce23b34b50531448b0da391c7f05a72af git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.6","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.203 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.164 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.125 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.72 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.11 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.1 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"23220","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/smb/server/server.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"544adb0a6658ea1bff4064723761dbf05f95b1e2","status":"affected","version":"4b9b7ea1ffb1e34f01fa5726d0c184931b9ba565","versionType":"git"},{"lessThan":"fb3b66bd72deb5543addaefa67963b34fb163a7b","status":"affected","version":"943cebf9ea3415ddefcd670d24d8883e97ba3d60","versionType":"git"},{"lessThan":"5accdc5b7f28a81bbc5880ac0b8886e60c86e8c8","status":"affected","version":"be0f89d4419dc5413a1cf06db3671c9949be0d52","versionType":"git"},{"lessThan":"f7b1c2f5642bbd60b1beef1f3298cbac81eb232c","status":"affected","version":"be0f89d4419dc5413a1cf06db3671c9949be0d52","versionType":"git"},{"lessThan":"71b5e7c528315ca360a1825a4ad2f8ae48c5dc16","status":"affected","version":"be0f89d4419dc5413a1cf06db3671c9949be0d52","versionType":"git"},{"lessThan":"9135e791ec2709bcf0cda0335535c74762489498","status":"affected","version":"be0f89d4419dc5413a1cf06db3671c9949be0d52","versionType":"git"},{"lessThan":"010eb01ce23b34b50531448b0da391c7f05a72af","status":"affected","version":"be0f89d4419dc5413a1cf06db3671c9949be0d52","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["fs/smb/server/server.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.6"},{"lessThan":"6.6","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.203","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.164","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.125","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.72","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.11","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.1","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.203","versionStartIncluding":"5.15.145","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.164","versionStartIncluding":"6.1.71","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.125","versionStartIncluding":"6.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.72","versionStartIncluding":"6.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.11","versionStartIncluding":"6.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.1","versionStartIncluding":"6.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.6","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths\n\nThe problem occurs when a signed request fails smb2 signature verification\ncheck. In __process_request(), if check_sign_req() returns an error,\nset_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called.\nset_smb2_rsp_status() set work->next_smb2_rcv_hdr_off as zero. By resetting\nnext_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain\nis lost. Consequently, is_chained_smb2_message() continues to point to\nthe same request header instead of advancing. If the header's NextCommand\nfield is non-zero, the function returns true, causing __handle_ksmbd_work()\nto repeatedly process the same failed request in an infinite loop.\nThis results in the kernel log being flooded with \"bad smb2 signature\"\nmessages and high CPU usage.\n\nThis patch fixes the issue by changing the return value from\nSERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that\nthe processing loop terminates immediately rather than attempting to\ncontinue from an invalidated offset."}],"providerMetadata":{"dateUpdated":"2026-04-18T08:57:22.654Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/544adb0a6658ea1bff4064723761dbf05f95b1e2"},{"url":"https://git.kernel.org/stable/c/fb3b66bd72deb5543addaefa67963b34fb163a7b"},{"url":"https://git.kernel.org/stable/c/5accdc5b7f28a81bbc5880ac0b8886e60c86e8c8"},{"url":"https://git.kernel.org/stable/c/f7b1c2f5642bbd60b1beef1f3298cbac81eb232c"},{"url":"https://git.kernel.org/stable/c/71b5e7c528315ca360a1825a4ad2f8ae48c5dc16"},{"url":"https://git.kernel.org/stable/c/9135e791ec2709bcf0cda0335535c74762489498"},{"url":"https://git.kernel.org/stable/c/010eb01ce23b34b50531448b0da391c7f05a72af"}],"title":"ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-23220","datePublished":"2026-02-18T14:53:23.376Z","dateReserved":"2026-01-13T15:37:45.987Z","dateUpdated":"2026-04-18T08:57:22.654Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-02-18 16:22:31","lastModifiedDate":"2026-04-18 09:16:14","problem_types":["CWE-835"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.145","versionEndExcluding":"5.16","matchCriteriaId":"B98C9201-BF17-4E2C-84FF-75EE2AA94DC5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.71","versionEndExcluding":"6.1.164","matchCriteriaId":"9E8C951B-058A-4478-BC29-9C2E367B173A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.1","versionEndExcluding":"6.6.125","matchCriteriaId":"E6254163-CB39-4ABB-9C34-50469B689183"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.72","matchCriteriaId":"F1A7E514-FB3C-4B6B-8046-07D5A8F04644"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.11","matchCriteriaId":"7099A9EC-3D54-4424-BF01-7224EF88C79C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.1","matchCriteriaId":"EE543C0D-A06B-414F-A403-CB1E088F261E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.6:-:*:*:*:*:*:*","matchCriteriaId":"E346B162-D566-4E62-ABDE-ECBFB21B8BFD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.6:rc6:*:*:*:*:*:*","matchCriteriaId":"E114E9DD-F7E1-40CC-AAD5-F14E586CB2E6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.6:rc7:*:*:*:*:*:*","matchCriteriaId":"DC5BD782-474C-4A68-AED7-6EC818FF89AE"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"23220","Ordinal":"1","Title":"ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset i","CVE":"CVE-2026-23220","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"23220","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths\n\nThe problem occurs when a signed request fails smb2 signature verification\ncheck. In __process_request(), if check_sign_req() returns an error,\nset_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called.\nset_smb2_rsp_status() set work->next_smb2_rcv_hdr_off as zero. By resetting\nnext_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain\nis lost. Consequently, is_chained_smb2_message() continues to point to\nthe same request header instead of advancing. If the header's NextCommand\nfield is non-zero, the function returns true, causing __handle_ksmbd_work()\nto repeatedly process the same failed request in an infinite loop.\nThis results in the kernel log being flooded with \"bad smb2 signature\"\nmessages and high CPU usage.\n\nThis patch fixes the issue by changing the return value from\nSERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that\nthe processing loop terminates immediately rather than attempting to\ncontinue from an invalidated offset.","Type":"Description","Title":"ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset i"}]}}}