{"api_version":"1","generated_at":"2026-06-21T10:47:17+00:00","cve":"CVE-2026-52911","urls":{"html":"https://cve.report/CVE-2026-52911","api":"https://cve.report/api/cve/CVE-2026-52911.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-52911","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-52911"},"summary":{"title":"ksmbd: scope conn->binding slowpath to bound sessions only","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: scope conn->binding slowpath to bound sessions only\n\nWhen the binding SESSION_SETUP sets conn->binding = true, the flag stays\nset after the call so that the global session lookup in\nksmbd_session_lookup_all() can find the session, which was not added to\nconn->sessions. Because the flag is connection-wide, the global lookup\npath will also resolve any other session by id if asked.\n\nTighten the global lookup so that the returned session must have this\nconnection registered in its channel xarray (sess->ksmbd_chann_list).\nThe channel entry is installed by the existing binding_session path in\nntlm_authenticate()/krb5_authenticate() when a SESSION_SETUP completes\nsuccessfully, so this condition is a strict equivalent of \"this\nconnection has been accepted as a channel of this session\". Connections\nthat have not bound to a given session cannot reach it via the global\ntable.\n\nThe existing conn->binding gate for entering the slowpath is preserved\nso that non-binding connections keep the fast-path-only behavior, and\nthe session->state check is unchanged.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-21 08:16:23","updated_at":"2026-06-21 08:16:23"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/e3a93ce6e25757b8f375e38b8f91e1d9da4edc1a","name":"https://git.kernel.org/stable/c/e3a93ce6e25757b8f375e38b8f91e1d9da4edc1a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/974c1c224e85549dc3459f3bb2255bbbdd2b9372","name":"https://git.kernel.org/stable/c/974c1c224e85549dc3459f3bb2255bbbdd2b9372","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/2cc8a4db633b10715450b291c1343859a4b2c509","name":"https://git.kernel.org/stable/c/2cc8a4db633b10715450b291c1343859a4b2c509","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/b0da97c034b6107d14e537e212d4ce8b22109a58","name":"https://git.kernel.org/stable/c/b0da97c034b6107d14e537e212d4ce8b22109a58","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/1e2bec062c5c9ec282636715166056d0998d746d","name":"https://git.kernel.org/stable/c/1e2bec062c5c9ec282636715166056d0998d746d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/1ff46c9915c1cbf454db58a8cb87f7cac818e6a6","name":"https://git.kernel.org/stable/c/1ff46c9915c1cbf454db58a8cb87f7cac818e6a6","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/e74c00c6af428a39e564cdc5bd3a3648c6d8de87","name":"https://git.kernel.org/stable/c/e74c00c6af428a39e564cdc5bd3a3648c6d8de87","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-52911","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-52911","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f5a544e3bab78142207e0242d22442db85ba1eff e74c00c6af428a39e564cdc5bd3a3648c6d8de87 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f5a544e3bab78142207e0242d22442db85ba1eff e3a93ce6e25757b8f375e38b8f91e1d9da4edc1a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f5a544e3bab78142207e0242d22442db85ba1eff 1ff46c9915c1cbf454db58a8cb87f7cac818e6a6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f5a544e3bab78142207e0242d22442db85ba1eff 974c1c224e85549dc3459f3bb2255bbbdd2b9372 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f5a544e3bab78142207e0242d22442db85ba1eff 2cc8a4db633b10715450b291c1343859a4b2c509 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f5a544e3bab78142207e0242d22442db85ba1eff 1e2bec062c5c9ec282636715166056d0998d746d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f5a544e3bab78142207e0242d22442db85ba1eff b0da97c034b6107d14e537e212d4ce8b22109a58 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.15","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.209 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.175 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.141 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.91 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.33 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.10 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/smb/server/mgmt/user_session.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"e74c00c6af428a39e564cdc5bd3a3648c6d8de87","status":"affected","version":"f5a544e3bab78142207e0242d22442db85ba1eff","versionType":"git"},{"lessThan":"e3a93ce6e25757b8f375e38b8f91e1d9da4edc1a","status":"affected","version":"f5a544e3bab78142207e0242d22442db85ba1eff","versionType":"git"},{"lessThan":"1ff46c9915c1cbf454db58a8cb87f7cac818e6a6","status":"affected","version":"f5a544e3bab78142207e0242d22442db85ba1eff","versionType":"git"},{"lessThan":"974c1c224e85549dc3459f3bb2255bbbdd2b9372","status":"affected","version":"f5a544e3bab78142207e0242d22442db85ba1eff","versionType":"git"},{"lessThan":"2cc8a4db633b10715450b291c1343859a4b2c509","status":"affected","version":"f5a544e3bab78142207e0242d22442db85ba1eff","versionType":"git"},{"lessThan":"1e2bec062c5c9ec282636715166056d0998d746d","status":"affected","version":"f5a544e3bab78142207e0242d22442db85ba1eff","versionType":"git"},{"lessThan":"b0da97c034b6107d14e537e212d4ce8b22109a58","status":"affected","version":"f5a544e3bab78142207e0242d22442db85ba1eff","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["fs/smb/server/mgmt/user_session.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.15"},{"lessThan":"5.15","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.209","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.175","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.141","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.91","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.33","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.10","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.209","versionStartIncluding":"5.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.175","versionStartIncluding":"5.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.141","versionStartIncluding":"5.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.91","versionStartIncluding":"5.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.33","versionStartIncluding":"5.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.10","versionStartIncluding":"5.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"5.15","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: scope conn->binding slowpath to bound sessions only\n\nWhen the binding SESSION_SETUP sets conn->binding = true, the flag stays\nset after the call so that the global session lookup in\nksmbd_session_lookup_all() can find the session, which was not added to\nconn->sessions. Because the flag is connection-wide, the global lookup\npath will also resolve any other session by id if asked.\n\nTighten the global lookup so that the returned session must have this\nconnection registered in its channel xarray (sess->ksmbd_chann_list).\nThe channel entry is installed by the existing binding_session path in\nntlm_authenticate()/krb5_authenticate() when a SESSION_SETUP completes\nsuccessfully, so this condition is a strict equivalent of \"this\nconnection has been accepted as a channel of this session\". Connections\nthat have not bound to a given session cannot reach it via the global\ntable.\n\nThe existing conn->binding gate for entering the slowpath is preserved\nso that non-binding connections keep the fast-path-only behavior, and\nthe session->state check is unchanged."}],"providerMetadata":{"dateUpdated":"2026-06-21T06:18:49.342Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/e74c00c6af428a39e564cdc5bd3a3648c6d8de87"},{"url":"https://git.kernel.org/stable/c/e3a93ce6e25757b8f375e38b8f91e1d9da4edc1a"},{"url":"https://git.kernel.org/stable/c/1ff46c9915c1cbf454db58a8cb87f7cac818e6a6"},{"url":"https://git.kernel.org/stable/c/974c1c224e85549dc3459f3bb2255bbbdd2b9372"},{"url":"https://git.kernel.org/stable/c/2cc8a4db633b10715450b291c1343859a4b2c509"},{"url":"https://git.kernel.org/stable/c/1e2bec062c5c9ec282636715166056d0998d746d"},{"url":"https://git.kernel.org/stable/c/b0da97c034b6107d14e537e212d4ce8b22109a58"}],"title":"ksmbd: scope conn->binding slowpath to bound sessions only","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-52911","datePublished":"2026-06-21T06:18:49.342Z","dateReserved":"2026-06-09T07:44:35.366Z","dateUpdated":"2026-06-21T06:18:49.342Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-21 08:16:23","lastModifiedDate":"2026-06-21 08:16:23","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"52911","Ordinal":"1","Title":"ksmbd: scope conn->binding slowpath to bound sessions only","CVE":"CVE-2026-52911","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"52911","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: scope conn->binding slowpath to bound sessions only\n\nWhen the binding SESSION_SETUP sets conn->binding = true, the flag stays\nset after the call so that the global session lookup in\nksmbd_session_lookup_all() can find the session, which was not added to\nconn->sessions. Because the flag is connection-wide, the global lookup\npath will also resolve any other session by id if asked.\n\nTighten the global lookup so that the returned session must have this\nconnection registered in its channel xarray (sess->ksmbd_chann_list).\nThe channel entry is installed by the existing binding_session path in\nntlm_authenticate()/krb5_authenticate() when a SESSION_SETUP completes\nsuccessfully, so this condition is a strict equivalent of \"this\nconnection has been accepted as a channel of this session\". Connections\nthat have not bound to a given session cannot reach it via the global\ntable.\n\nThe existing conn->binding gate for entering the slowpath is preserved\nso that non-binding connections keep the fast-path-only behavior, and\nthe session->state check is unchanged.","Type":"Description","Title":"ksmbd: scope conn->binding slowpath to bound sessions only"}]}}}