PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43379 Git CVE debrief

CVE-2026-43379 is a critical Linux kernel memory-safety flaw in ksmbd, the in-kernel SMB server. The issue is a use-after-free in smb_lazy_parent_lease_break_close() caused by accessing an opinfo pointer after leaving the RCU read-side critical section. NVD rates the issue CVSS 3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), so organizations should treat it as urgent and patch affected kernels as soon as fixes are available from their distributor or stable kernel channel.

Vendor
Git
Product
Unknown
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-11
Advisory published
2026-05-08
Advisory updated
2026-05-11

Who should care

Linux administrators, security teams, and service owners running kernels with ksmbd enabled or exposing SMB services on affected systems should prioritize this CVE. Systems that rely on kernel-level SMB file sharing deserve immediate review and patching.

Technical summary

The CVE description states that opinfo, obtained via rcu_dereference(fp->f_opinfo), is referenced after rcu_read_unlock() in smb_lazy_parent_lease_break_close(). That creates a race where a concurrent writer can free the object before later dereferences such as opinfo->is_lease, resulting in a use-after-free. The official NVD record assigns a network-reachable, no-authentication critical score and includes multiple kernel.org stable references for the fix.

Defensive priority

Immediate. This is a critical kernel use-after-free with high confidentiality, integrity, and availability impact per NVD. Patch or backport the fix as soon as your platform vendor provides it, and reduce exposure of ksmbd where feasible until updates are applied.

Recommended defensive actions

  • Apply the vendor or stable-kernel update that addresses CVE-2026-43379 as soon as possible.
  • Verify whether ksmbd is enabled or used on your systems; if it is not required, disable or remove the service/module according to your platform guidance.
  • Prioritize internet-exposed or production SMB endpoints for expedited maintenance.
  • Review asset inventories and patch-management reports for kernels that may include ksmbd support.
  • Monitor for kernel crashes, unexpected SMB service instability, or security advisories from your Linux distribution and hardware vendor.

Evidence notes

The evidence base is limited to the CVE record and official references. The CVE description explicitly says opinfo is accessed after rcu_read_unlock() in smb_lazy_parent_lease_break_close(), creating a race that can lead to use-after-free. The NVD record provides the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Official references include the CVE record, NVD detail page, and five kernel.org stable commit URLs.

Official resources

Publicly disclosed in the CVE/NVD record on 2026-05-08 and modified on 2026-05-11.