Login Sign Up

CVE-2023-38426

9.1 CRITICAL

📋 TL;DR

This vulnerability in the Linux kernel's ksmbd SMB server allows attackers to read memory beyond allocated buffers when processing SMB2 create context requests. It affects Linux systems running kernel versions before 6.3.4 with ksmbd enabled. Attackers could potentially leak sensitive kernel memory or cause system instability.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Linux kernel versions before 6.3.4
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable if ksmbd (in-kernel SMB server) is enabled and configured. Many distributions don't enable ksmbd by default.

📦 What is this software?

H300s by Netapp

View all CVEs affecting H300s →

H410s by Netapp

View all CVEs affecting H410s →

H500s by Netapp

View all CVEs affecting H500s →

H700s by Netapp

View all CVEs affecting H700s →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Solidfire \& Hci Management Node by Netapp

View all CVEs affecting Solidfire \& Hci Management Node →

Solidfire \& Hci Storage Node by Netapp

View all CVEs affecting Solidfire \& Hci Storage Node →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel memory disclosure leading to information leakage, potential privilege escalation, or denial of service through kernel panic.

🟠

Likely Case

Information disclosure of kernel memory contents, potentially exposing sensitive data or system information.

🟢

If Mitigated

Minimal impact if ksmbd is disabled or proper network segmentation prevents access.

🌐 Internet-Facing: HIGH - SMB services exposed to internet could be directly targeted.
🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires sending specially crafted SMB2 packets to ksmbd service. Authentication status depends on SMB share configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 6.3.4 and later

Vendor Advisory: https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.3.4

Restart Required: Yes

Instructions:

1. Update Linux kernel to version 6.3.4 or later. 2. For distributions with backported patches, apply security updates. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable ksmbd module

linux

Prevent loading of vulnerable ksmbd kernel module

echo 'blacklist ksmbd' >> /etc/modprobe.d/blacklist-ksmbd.conf
rmmod ksmbd

Block SMB ports at firewall

linux

Prevent external access to ksmbd service

iptables -A INPUT -p tcp --dport 445 -j DROP
iptables -A INPUT -p tcp --dport 139 -j DROP

🧯 If You Can't Patch

  • Disable ksmbd service if not required for business operations
  • Implement strict network segmentation to isolate systems with ksmbd enabled

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r and verify if ksmbd module is loaded: lsmod | grep ksmbd

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is 6.3.4 or later: uname -r and check that ksmbd module is either not loaded or patched version

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs
  • ksmbd error messages in system logs
  • unusual SMB connection attempts

Network Indicators:

  • Unusual SMB2 create context requests with malformed name_len values
  • Traffic to port 445/139 with abnormal packet patterns

SIEM Query:

source="kernel" AND ("panic" OR "Oops") OR source="ksmbd" AND ("error" OR "out of bounds")

📊 Metadata

CVE ID: CVE-2023-38426
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-125
Published: July 18, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38426, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)