{"api_version":"1","generated_at":"2026-06-25T13:14:09+00:00","cve":"CVE-2026-53198","urls":{"html":"https://cve.report/CVE-2026-53198","api":"https://cve.report/api/cve/CVE-2026-53198.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53198","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53198"},"summary":{"title":"ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL\n\nA deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on\nconn->async_requests via setup_async_work(), with cancel_fn =\nsmb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock.\n\nWhen the request is cancelled, the worker frees the file_lock with\nlocks_free_lock() and takes the cancelled early-exit, which \"goto out\"s and never\nreaches release_async_work() -- the only site that unlinks the work from\nconn->async_requests and clears cancel_fn/cancel_argv. The work therefore stays\nmatchable on async_requests with a live cancel_fn pointing at the freed file_lock,\nuntil connection teardown finally runs release_async_work().\n\nsmb2_cancel() fires cancel_fn unconditionally with no state guard, so a second\nSMB2_CANCEL for the same AsyncId, arriving in that window, re-runs\nsmb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free:\n\n  BUG: KASAN: slab-use-after-free in __locks_delete_block\n    __locks_delete_block\n    locks_delete_block\n    ksmbd_vfs_posix_lock_unblock\n    smb2_remove_blocked_lock\n    smb2_cancel                 <- 2nd SMB2_CANCEL fires cancel_fn\n    handle_ksmbd_work\n  Allocated by ...: locks_alloc_lock <- smb2_lock\n  Freed by ...:     locks_free_lock  <- smb2_lock (cancelled branch)\n  ... cache file_lock_cache of size 192\n\nReproduced on mainline with KASAN by an authenticated SMB client.\n\nSkip a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback\ncannot be fired a second time.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-25 09:16:37","updated_at":"2026-06-25 09:16:37"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/f580d27e8928828693df44ba2db0fffdbe11dfea","name":"https://git.kernel.org/stable/c/f580d27e8928828693df44ba2db0fffdbe11dfea","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/2b2eda2821cff1d1b5a423b6ee7d8fc6fbc8e694","name":"https://git.kernel.org/stable/c/2b2eda2821cff1d1b5a423b6ee7d8fc6fbc8e694","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/89ae9df09d2c1fb4a4eb495c113a7ce1dca34147","name":"https://git.kernel.org/stable/c/89ae9df09d2c1fb4a4eb495c113a7ce1dca34147","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/b7063c7426ea5a4d15e01b60538718765392f49d","name":"https://git.kernel.org/stable/c/b7063c7426ea5a4d15e01b60538718765392f49d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0da2e073f9cbf4985a0fd9acb71bc5ff599f8afd","name":"https://git.kernel.org/stable/c/0da2e073f9cbf4985a0fd9acb71bc5ff599f8afd","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/14d2eee0193ac3cd1bf3d014373449f0b8d35d6d","name":"https://git.kernel.org/stable/c/14d2eee0193ac3cd1bf3d014373449f0b8d35d6d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53198","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53198","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 b7063c7426ea5a4d15e01b60538718765392f49d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 0da2e073f9cbf4985a0fd9acb71bc5ff599f8afd git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 89ae9df09d2c1fb4a4eb495c113a7ce1dca34147 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 14d2eee0193ac3cd1bf3d014373449f0b8d35d6d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 2b2eda2821cff1d1b5a423b6ee7d8fc6fbc8e694 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 f580d27e8928828693df44ba2db0fffdbe11dfea git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.1.176 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.6.143 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.12.94 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.18.36 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7.0.13 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.176 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.143 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.94 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.36 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.13 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/smb/server/smb2pdu.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"b7063c7426ea5a4d15e01b60538718765392f49d","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"0da2e073f9cbf4985a0fd9acb71bc5ff599f8afd","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"89ae9df09d2c1fb4a4eb495c113a7ce1dca34147","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"14d2eee0193ac3cd1bf3d014373449f0b8d35d6d","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"2b2eda2821cff1d1b5a423b6ee7d8fc6fbc8e694","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"f580d27e8928828693df44ba2db0fffdbe11dfea","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"6.1.176","status":"affected","version":"0","versionType":"semver"},{"lessThan":"6.6.143","status":"affected","version":"0","versionType":"semver"},{"lessThan":"6.12.94","status":"affected","version":"0","versionType":"semver"},{"lessThan":"6.18.36","status":"affected","version":"0","versionType":"semver"},{"lessThan":"7.0.13","status":"affected","version":"0","versionType":"semver"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["fs/smb/server/smb2pdu.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.176","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.143","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.94","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.36","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.13","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.176","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.143","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.94","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.36","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL\n\nA deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on\nconn->async_requests via setup_async_work(), with cancel_fn =\nsmb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock.\n\nWhen the request is cancelled, the worker frees the file_lock with\nlocks_free_lock() and takes the cancelled early-exit, which \"goto out\"s and never\nreaches release_async_work() -- the only site that unlinks the work from\nconn->async_requests and clears cancel_fn/cancel_argv. The work therefore stays\nmatchable on async_requests with a live cancel_fn pointing at the freed file_lock,\nuntil connection teardown finally runs release_async_work().\n\nsmb2_cancel() fires cancel_fn unconditionally with no state guard, so a second\nSMB2_CANCEL for the same AsyncId, arriving in that window, re-runs\nsmb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free:\n\n  BUG: KASAN: slab-use-after-free in __locks_delete_block\n    __locks_delete_block\n    locks_delete_block\n    ksmbd_vfs_posix_lock_unblock\n    smb2_remove_blocked_lock\n    smb2_cancel                 <- 2nd SMB2_CANCEL fires cancel_fn\n    handle_ksmbd_work\n  Allocated by ...: locks_alloc_lock <- smb2_lock\n  Freed by ...:     locks_free_lock  <- smb2_lock (cancelled branch)\n  ... cache file_lock_cache of size 192\n\nReproduced on mainline with KASAN by an authenticated SMB client.\n\nSkip a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback\ncannot be fired a second time."}],"providerMetadata":{"dateUpdated":"2026-06-25T08:39:07.650Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/b7063c7426ea5a4d15e01b60538718765392f49d"},{"url":"https://git.kernel.org/stable/c/0da2e073f9cbf4985a0fd9acb71bc5ff599f8afd"},{"url":"https://git.kernel.org/stable/c/89ae9df09d2c1fb4a4eb495c113a7ce1dca34147"},{"url":"https://git.kernel.org/stable/c/14d2eee0193ac3cd1bf3d014373449f0b8d35d6d"},{"url":"https://git.kernel.org/stable/c/2b2eda2821cff1d1b5a423b6ee7d8fc6fbc8e694"},{"url":"https://git.kernel.org/stable/c/f580d27e8928828693df44ba2db0fffdbe11dfea"}],"title":"ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53198","datePublished":"2026-06-25T08:39:07.650Z","dateReserved":"2026-06-09T07:44:35.391Z","dateUpdated":"2026-06-25T08:39:07.650Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-25 09:16:37","lastModifiedDate":"2026-06-25 09:16:37","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53198","Ordinal":"1","Title":"ksmbd: fix use-after-free of a deferred file_lock on double SMB2","CVE":"CVE-2026-53198","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53198","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL\n\nA deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on\nconn->async_requests via setup_async_work(), with cancel_fn =\nsmb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock.\n\nWhen the request is cancelled, the worker frees the file_lock with\nlocks_free_lock() and takes the cancelled early-exit, which \"goto out\"s and never\nreaches release_async_work() -- the only site that unlinks the work from\nconn->async_requests and clears cancel_fn/cancel_argv. The work therefore stays\nmatchable on async_requests with a live cancel_fn pointing at the freed file_lock,\nuntil connection teardown finally runs release_async_work().\n\nsmb2_cancel() fires cancel_fn unconditionally with no state guard, so a second\nSMB2_CANCEL for the same AsyncId, arriving in that window, re-runs\nsmb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free:\n\n  BUG: KASAN: slab-use-after-free in __locks_delete_block\n    __locks_delete_block\n    locks_delete_block\n    ksmbd_vfs_posix_lock_unblock\n    smb2_remove_blocked_lock\n    smb2_cancel                 <- 2nd SMB2_CANCEL fires cancel_fn\n    handle_ksmbd_work\n  Allocated by ...: locks_alloc_lock <- smb2_lock\n  Freed by ...:     locks_free_lock  <- smb2_lock (cancelled branch)\n  ... cache file_lock_cache of size 192\n\nReproduced on mainline with KASAN by an authenticated SMB client.\n\nSkip a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback\ncannot be fired a second time.","Type":"Description","Title":"ksmbd: fix use-after-free of a deferred file_lock on double SMB2"}]}}}