CVE-2026-53198 Linux CVE debrief

Who should care

System administrators and users of Linux-based systems should be aware of this vulnerability, as it can be exploited by an authenticated SMB client to execute arbitrary code. The vulnerability is particularly concerning for systems that use the ksmbd module, as it can be used to gain elevated privileges.

Technical summary

The vulnerability is caused by a use-after-free error in the ksmbd module, which handles SMB2_CANCEL requests. When a deferred byte-range lock is cancelled, the worker frees the file_lock with locks_free_lock() and takes the cancelled early-exit, which 'goto out's and never reaches release_async_work() -- the only site that unlinks the work from conn->async_requests and clears cancel_fn/cancel_argv. The work therefore stays matchable on async_requests with a live cancel_fn pointing at the freed file_lock, until connection teardown finally runs release_async_work(). A second SMB2_CANCEL for the same AsyncId, arriving in that window, re-runs smb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free.

Defensive priority

High

Recommended defensive actions

• Update the Linux kernel to the latest version
• Disable the ksmbd module if not needed
• Implement additional security measures, such as firewall rules and intrusion detection systems
• Monitor system logs for suspicious activity
• Consider implementing a web application firewall to detect and prevent attacks

Evidence notes

The vulnerability was discovered by an authenticated SMB client and has been patched in the Linux kernel. The CVSS score of 8.8 indicates a high-severity vulnerability. The vulnerability is caused by a use-after-free error in the ksmbd module, which can be exploited by an authenticated SMB client to execute arbitrary code.

Official resources