{"id":"CVE-2024-53186","summary":"ksmbd: fix use-after-free in SMB request handling","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in SMB request handling\n\nA race condition exists between SMB request handling in\n`ksmbd_conn_handler_loop()` and the freeing of `ksmbd_conn` in the\nworkqueue handler `handle_ksmbd_work()`. This leads to a UAF.\n- KASAN: slab-use-after-free Read in handle_ksmbd_work\n- KASAN: slab-use-after-free in rtlock_slowlock_locked\n\nThis race condition arises as follows:\n- `ksmbd_conn_handler_loop()` waits for `conn-\u003er_count` to reach zero:\n  `wait_event(conn-\u003er_count_q, atomic_read(&conn-\u003er_count) == 0);`\n- Meanwhile, `handle_ksmbd_work()` decrements `conn-\u003er_count` using\n  `atomic_dec_return(&conn-\u003er_count)`, and if it reaches zero, calls\n  `ksmbd_conn_free()`, which frees `conn`.\n- However, after `handle_ksmbd_work()` decrements `conn-\u003er_count`,\n  it may still access `conn-\u003er_count_q` in the following line:\n  `waitqueue_active(&conn-\u003er_count_q)` or `wake_up(&conn-\u003er_count_q)`\n  This results in a UAF, as `conn` has already been freed.\n\nThe discovery of this UAF can be referenced in the following PR for\nsyzkaller's support for SMB requests.","modified":"2026-05-15T11:53:16.126478753Z","published":"2024-12-27T13:49:29.215Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/53xxx/CVE-2024-53186.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/96261adb998a3b513468b6ce17dbec76be5507d4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9a8c5d89d327ff58e9b2517f8a6afb4181d32c6e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a96f9eb7add30ba0fafcfe7b7aca090978196800"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f20b77f7897e6aab9ce5527e6016ad2be5d70a33"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/53xxx/CVE-2024-53186.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53186"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.64"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.11.11"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.12.0"},{"fixed":"6.12.2"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53186.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}