HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-53010Published Modified CNA Linux

CVE-2026-53010: ksmbd: fix use-after-free in smb2_open during durable reconnect

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in smb2_open during durable reconnect In smb2_open, the call to ksmbd_put_durable_fd(fp) drops the reference to the durable file descriptor early during the durable reconnect process. If an error occurs subsequently (eg, ksmbd_iov_pin_rsp fails) or a scavenger accesses the file, it leads to a use-after-free when accessing fp properties (eg fp->create_time). Move the single put to the end of the function below err_out2 so fp stays valid until smb2_open returns.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Linux kernel's ksmbd SMB server component, specifically in the smb2_open function during durable session reconnect handling. The flaw is reachable over the network without any authentication or user interaction, allowing a remote attacker to exploit freed memory. Successful exploitation gives an attacker full read access to kernel memory, the ability to tamper with kernel data structures, and the ability to crash or take control of the affected system. A patched-image rebuild is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-53010 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that bundle an affected kernel or ksmbd module.

Available
Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the CVSS v3.1 vector and can weight that score against each environment's compliance policy to determine breach-of-threshold status; findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild targeting the fix versions (kernel 6.18.33, 7.0.10, or commit 1baff47b81f94f9231c91236aa511420d0e266b9) becomes available on HarborGuard once the upstream fix is confirmed present in the base image. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The ksmbd SMB server listens on the network, so an attacker must be able to send SMB2 packets to the target host over the network to trigger the vulnerability.

  • AuthenticationNot required

    No credentials are needed; the vulnerability can be triggered during the durable reconnect path before session authentication is enforced.

  • Victim interactionNot required

    No user or administrator action is required; the attacker initiates the exploit entirely through crafted network packets.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

Blast Radius

  • A successful attacker can read arbitrary kernel memory, exposing cryptographic keys, session tokens, and other sensitive data held in kernel address space.
  • The attacker can overwrite kernel data structures, enabling privilege escalation or persistent tampering with kernel behavior.
  • The attacker can crash the affected system outright, causing a denial of service for all workloads on the host.
  • In the worst case the attacker achieves arbitrary kernel code execution, giving full control of the host and every container running on it.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-53010 is active across all scanning environments, matching images that include an affected Linux kernel build against the known vulnerable version ranges. For customers who opt into auto-remediation, HarborGuard can rebuild affected images against a kernel version that includes the fix (6.18.33, 7.0.10, or a commit at or after 1baff47b81f94f9231c91236aa511420d0e266b9), run a regression test pass, and open a pull request against affected workloads. Given the CRITICAL severity and network-exploitable, zero-authentication nature of this bug, median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard flags the finding at critical priority and routes it to the designated team inbox. In the interim, compensating controls worth considering include network policy rules that restrict SMB port access (TCP 445) to trusted source addresses only, and disabling the ksmbd module on hosts where SMB serving is not required.

See how HarborGuard automates this

Fix available

01baff47b81f94f9231c91236aa511420d0e266b96.76.18.337.0.107.197a0cd55283b4e63fd92804da91c8d9896adcad9ce2e164c1c51c3f7813b80f8c926836e896bcbb3
Affected packages
  • Linux / Linux
    < ce2e164c1c51c3f7813b80f8c926836e896bcbb3 (from c8efcc786146a951091588e5fa7e3c754850cb3c) · < 97a0cd55283b4e63fd92804da91c8d9896adcad9 (from c8efcc786146a951091588e5fa7e3c754850cb3c) · < 1baff47b81f94f9231c91236aa511420d0e266b9 (from c8efcc786146a951091588e5fa7e3c754850cb3c) · 8df4bcdb0a4232192b2445256c39b787d58ef14d · < 6.7 (from 6.6.32)
  • Linux / Linux
    6.9
    Fixed in 0, 6.18.33, 7.0.10, 7.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References