CVE-2026-52911 (GCVE-0-2026-52911)
Vulnerability from cvelistv5 – Published: 2026-06-21 06:18 – Updated: 2026-06-21 06:18
VLAI
Title
ksmbd: scope conn->binding slowpath to bound sessions only
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: scope conn->binding slowpath to bound sessions only
When the binding SESSION_SETUP sets conn->binding = true, the flag stays
set after the call so that the global session lookup in
ksmbd_session_lookup_all() can find the session, which was not added to
conn->sessions. Because the flag is connection-wide, the global lookup
path will also resolve any other session by id if asked.
Tighten the global lookup so that the returned session must have this
connection registered in its channel xarray (sess->ksmbd_chann_list).
The channel entry is installed by the existing binding_session path in
ntlm_authenticate()/krb5_authenticate() when a SESSION_SETUP completes
successfully, so this condition is a strict equivalent of "this
connection has been accepted as a channel of this session". Connections
that have not bound to a given session cannot reach it via the global
table.
The existing conn->binding gate for entering the slowpath is preserved
so that non-binding connections keep the fast-path-only behavior, and
the session->state check is unchanged.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f5a544e3bab78142207e0242d22442db85ba1eff , < e74c00c6af428a39e564cdc5bd3a3648c6d8de87
(git)
Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < e3a93ce6e25757b8f375e38b8f91e1d9da4edc1a (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 1ff46c9915c1cbf454db58a8cb87f7cac818e6a6 (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 974c1c224e85549dc3459f3bb2255bbbdd2b9372 (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 2cc8a4db633b10715450b291c1343859a4b2c509 (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 1e2bec062c5c9ec282636715166056d0998d746d (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < b0da97c034b6107d14e537e212d4ce8b22109a58 (git) |
|
| Linux | Linux |
Affected:
5.15
Unaffected: 0 , < 5.15 (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e74c00c6af428a39e564cdc5bd3a3648c6d8de87",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "e3a93ce6e25757b8f375e38b8f91e1d9da4edc1a",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "1ff46c9915c1cbf454db58a8cb87f7cac818e6a6",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "974c1c224e85549dc3459f3bb2255bbbdd2b9372",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "2cc8a4db633b10715450b291c1343859a4b2c509",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "1e2bec062c5c9ec282636715166056d0998d746d",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "b0da97c034b6107d14e537e212d4ce8b22109a58",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: scope conn-\u003ebinding slowpath to bound sessions only\n\nWhen the binding SESSION_SETUP sets conn-\u003ebinding = true, the flag stays\nset after the call so that the global session lookup in\nksmbd_session_lookup_all() can find the session, which was not added to\nconn-\u003esessions. Because the flag is connection-wide, the global lookup\npath will also resolve any other session by id if asked.\n\nTighten the global lookup so that the returned session must have this\nconnection registered in its channel xarray (sess-\u003eksmbd_chann_list).\nThe channel entry is installed by the existing binding_session path in\nntlm_authenticate()/krb5_authenticate() when a SESSION_SETUP completes\nsuccessfully, so this condition is a strict equivalent of \"this\nconnection has been accepted as a channel of this session\". Connections\nthat have not bound to a given session cannot reach it via the global\ntable.\n\nThe existing conn-\u003ebinding gate for entering the slowpath is preserved\nso that non-binding connections keep the fast-path-only behavior, and\nthe session-\u003estate check is unchanged."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-21T06:18:49.342Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e74c00c6af428a39e564cdc5bd3a3648c6d8de87"
},
{
"url": "https://git.kernel.org/stable/c/e3a93ce6e25757b8f375e38b8f91e1d9da4edc1a"
},
{
"url": "https://git.kernel.org/stable/c/1ff46c9915c1cbf454db58a8cb87f7cac818e6a6"
},
{
"url": "https://git.kernel.org/stable/c/974c1c224e85549dc3459f3bb2255bbbdd2b9372"
},
{
"url": "https://git.kernel.org/stable/c/2cc8a4db633b10715450b291c1343859a4b2c509"
},
{
"url": "https://git.kernel.org/stable/c/1e2bec062c5c9ec282636715166056d0998d746d"
},
{
"url": "https://git.kernel.org/stable/c/b0da97c034b6107d14e537e212d4ce8b22109a58"
}
],
"title": "ksmbd: scope conn-\u003ebinding slowpath to bound sessions only",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52911",
"datePublished": "2026-06-21T06:18:49.342Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-21T06:18:49.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…