Login Sign Up

CVE-2024-26594

7.1 HIGH
Denial of Service

📋 TL;DR

This vulnerability in the Linux kernel's ksmbd SMB server allows attackers to send invalid authentication mechanism tokens during session setup, potentially causing memory corruption or crashes. It affects systems running vulnerable versions of the Linux kernel with ksmbd enabled. The vulnerability could lead to denial of service or potentially more severe impacts depending on exploitation.

💻 Affected Systems

Products:
  • Linux kernel ksmbd module
Versions: Linux kernel versions with vulnerable ksmbd implementation (specific versions not specified in CVE)
Operating Systems: Linux distributions with ksmbd enabled
Default Config Vulnerable: ✅ No
Notes: Only vulnerable if ksmbd SMB server is enabled and configured. Many distributions don't enable ksmbd by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution or complete system compromise through memory corruption leading to privilege escalation

🟠

Likely Case

Denial of service through kernel panic or system crash when processing malformed authentication tokens

🟢

If Mitigated

Failed authentication attempts logged, no system impact with proper validation

🌐 Internet-Facing: MEDIUM - SMB servers exposed to internet could be targeted, but requires specific configuration
🏢 Internal Only: LOW - Requires authenticated access to SMB shares and specific exploitation conditions

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires sending specially crafted SMB session setup requests to ksmbd server

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel versions with commits 5e6dfec95833edc54c48605a98365a7325e5541e and related fixes

Vendor Advisory: https://git.kernel.org/stable/c/5e6dfec95833edc54c48605a98365a7325e5541e

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify ksmbd module loads correctly.

🔧 Temporary Workarounds

Disable ksmbd module

linux

Prevent loading of vulnerable ksmbd kernel module

echo 'blacklist ksmbd' >> /etc/modprobe.d/blacklist-ksmbd.conf
rmmod ksmbd

Restrict SMB access

linux

Limit network access to ksmbd service using firewall rules

iptables -A INPUT -p tcp --dport 445 -j DROP
iptables -A INPUT -p tcp --dport 139 -j DROP

🧯 If You Can't Patch

  • Disable ksmbd service entirely if not required
  • Implement network segmentation to isolate SMB servers from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check if ksmbd module is loaded: lsmod | grep ksmbd. Check kernel version: uname -r and compare with patched versions.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated and ksmbd module version matches patched kernel. Test SMB session setup with invalid tokens.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs
  • ksmbd error messages about invalid tokens
  • Failed SMB authentication attempts

Network Indicators:

  • Multiple SMB session setup requests with malformed tokens
  • Unexpected SMB traffic to port 445/139

SIEM Query:

source="kernel" AND "panic" OR source="ksmbd" AND ("invalid" OR "token" OR "session setup")

📊 Metadata

CVE ID: CVE-2024-26594
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-125
Published: February 23, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26594, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)