HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-53046Published Modified CNA Linux

CVE-2026-53046: ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine ksmbd_crypt_message() sets a NULL completion callback on AEAD requests and does not handle the -EINPROGRESS return code from async hardware crypto engines like the Qualcomm Crypto Engine (QCE). When QCE returns -EINPROGRESS, ksmbd treats it as an error and immediately frees the request while the hardware DMA operation is still in flight. The DMA completion callback then dereferences freed memory, causing a NULL pointer crash: pc : qce_skcipher_done+0x24/0x174 lr : vchan_complete+0x230/0x27c ... el1h_64_irq+0x68/0x6c ksmbd_free_work_struct+0x20/0x118 [ksmbd] ksmbd_exit_file_cache+0x694/0xa4c [ksmbd] Use the standard crypto_wait_req() pattern with crypto_req_done() as the completion callback, matching the approach used by the SMB client in fs/smb/client/smb2ops.c. This properly handles both synchronous engines (immediate return) and async engines (-EINPROGRESS followed by callback notification).

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Linux kernel's ksmbd SMB server module, specifically in how it handles asynchronous cryptographic operations on hardware engines such as the Qualcomm Crypto Engine. When the hardware returns an in-progress status code, ksmbd incorrectly treats it as an error and frees the request buffer while a DMA operation is still running; the hardware's completion callback then dereferences that freed memory, producing a NULL pointer crash. Exploitation is possible over the network without any authentication, and a successful attacker gains full read, write, and denial-of-service capability against the affected host. A patched-image rebuild at the fix versions (5.15.209 and the identified upstream commits) is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-53046 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle a vulnerable kernel or ksmbd module.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.8 (Critical) and weighting that score against each customer environment's compliance policy to determine urgency. Triage findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild targeting the fix versions (5.15.209 and the upstream commits listed in the advisory) becomes available on HarborGuard once the fixed base image is published upstream. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the rebuilt image, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the ksmbd SMB service over the network; no local access or special network position is required (AV:N).

  • AuthenticationNot required

    No credentials or existing session are needed to trigger the vulnerability (PR:N).

  • Victim interactionNot required

    The crash is triggered entirely by the attacker's network request; no action by a logged-in user or admin is required (UI:N).

  • Attack complexityDetail

    Exploitation is reliable and imposes no special preconditions such as race-condition timing or specific memory layout requirements (AC:L).

Blast Radius

  • A successful attacker causes a NULL pointer dereference that crashes the ksmbd process, taking down SMB file-sharing availability for all connected clients.
  • Memory-safety violation via use-after-free gives an attacker a primitive that, with further chaining, allows reading arbitrary kernel memory including credentials, session tokens, and file data cached in kernel buffers.
  • The same memory-corruption primitive enables writes to freed kernel structures, allowing an attacker to overwrite kernel data and escalate to full kernel-level code execution on the host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-53046 is active across all connected environments, matching images that include an affected Linux kernel version with the ksmbd module present. Because fix versions exist (5.15.209 and the identified upstream commits), a patched-image rebuild becomes available as soon as the fixed base layer is published. For customers with auto-remediation enabled, HarborGuard performs a full rebuild at the patched version, runs a regression test suite, and opens a pull request against every affected workload; at Critical severity, the median time from CVE publication to a merged patch PR is approximately 90 minutes for those environments. Where auto-remediation is not enabled or compliance policy requires human approval, HarborGuard surfaces the finding with full CVSS context and routing to the designated team inbox. Until a patched image is deployed, compensating controls include network-policy isolation that restricts inbound SMB (TCP 445) access to trusted source ranges only, and egress filtering to limit the blast radius of any kernel-level compromise.

See how HarborGuard automates this

Fix available

03e298897f41c61450c2e7a4f457e8b2485eb35b35.15.20957b47231055b431ed0a1a55f33cac329815644056.1.1756.6.1416.12.916.18.337.0.107.17164b3953cefd540e7ebca828c793bc6869cfbc48ef183216feaa24b66b940510d8b68f680eb56e98fcefe840fa8c14ce667768e5b043286ac3bbcbeb46aa129fa2807bfe1545fe74d9295d53c51520bcc2da381875d4a67026e4c8feb3dba51a2a2d1bc
Affected packages
  • Linux / Linux
    < 57b47231055b431ed0a1a55f33cac32981564405 (from e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9) · < cc2da381875d4a67026e4c8feb3dba51a2a2d1bc (from e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9) · < 8fcefe840fa8c14ce667768e5b043286ac3bbcbe (from e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9) · < 8ef183216feaa24b66b940510d8b68f680eb56e9 (from e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9) · < 7164b3953cefd540e7ebca828c793bc6869cfbc4 (from e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9) · < b46aa129fa2807bfe1545fe74d9295d53c51520b (from e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9)
  • Linux / Linux
    5.15
    Fixed in 0, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, 7.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References