PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-52944 Linux CVE debrief

The Linux kernel was vulnerable to a permission bypass issue in the ksmbd module. The FSCTL_SET_SPARSE operation in fsctl_set_sparse() was modifying file sparse attributes without proper permission checks. This allowed clients on read-only shares to change file sparse attributes and also allowed clients without FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES access to modify sparse attributes on writable shares. The vulnerability has been resolved by adding both share-level writable checks and per-handle access checks.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-24
Original CVE updated
2026-07-07
Advisory published
2026-06-24
Advisory updated
2026-07-07

Who should care

Linux kernel users and administrators, especially those using ksmbd, should verify their systems are updated with the latest kernel patches to prevent potential unauthorized file attribute modifications.

Technical summary

The ksmbd module in the Linux kernel did not perform adequate permission checks for the FSCTL_SET_SPARSE operation. This operation, which modifies a file's sparse attribute, was not verifying if the client had the necessary permissions, specifically FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES access, or if the share was writable. This oversight allowed for two primary issues: 1) Clients on read-only shares could change file sparse attributes. 2) Clients without proper access rights could modify sparse attributes on writable shares. The fix involves adding a permission check to ensure that only authorized clients can modify file sparse attributes.

Defensive priority

Medium

Recommended defensive actions

  • Verify and apply the latest Linux kernel updates to ensure the ksmbd module is patched.
  • Review system configurations for ksmbd shares and ensure proper access controls are in place.
  • Monitor file system operations for any suspicious activity related to sparse attribute changes.
  • Perform a thorough review of current ksmbd share configurations to ensure alignment with organizational security policies.
  • Conduct a vulnerability scan to identify any systems that may be exposed to this issue.
  • Track and document changes to file sparse attributes for auditing and forensic analysis purposes.
  • Engage with Linux kernel community or support channels for additional guidance on mitigating similar vulnerabilities in the future.

Evidence notes

The CVE record and associated source item provide details on the vulnerability and its resolution. The NVD entry is currently awaiting analysis. Kernel.org references provide additional context on the specific commits that address the vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-24T10:17:19.447Z and has not been modified since then.