CVE-2026-23228
📋 TL;DR
A memory leak vulnerability in the Linux kernel's SMB server implementation (ksmbd) occurs when kthread_run() fails during new TCP connection handling, causing the active connection counter (active_num_conn) to not be properly decremented. This affects Linux systems running ksmbd SMB server functionality. The vulnerability leads to resource exhaustion over time.
💻 Affected Systems
- Linux kernel with ksmbd SMB server module
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could exhaust kernel memory resources, leading to denial of service (DoS) conditions where the SMB server becomes unresponsive or crashes.
Likely Case
Gradual resource leakage causing performance degradation and eventual SMB service disruption under high connection load.
If Mitigated
Minimal impact with proper monitoring and connection limits in place, though resource leakage still occurs.
🎯 Exploit Status
Exploitation requires ability to establish TCP connections to the SMB server. No authentication bypass or code execution is involved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel versions containing commits: 599271110c35f6b16e2e4e45b9fbd47ed378c982, 787769c8cc50416af7b8b1a36e6bcd6aaa7680aa, baf664fc90a6139a39a58333e4aaa390c10d45dc, cd25e0d809531a67e9dd53b19012d27d2b13425f
Vendor Advisory: https://git.kernel.org/stable/c/599271110c35f6b16e2e4e45b9fbd47ed378c982
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version. 2. Rebuild kernel if compiling from source. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable ksmbd module
linuxPrevent loading of vulnerable ksmbd kernel module
echo 'blacklist ksmbd' >> /etc/modprobe.d/blacklist-ksmbd.conf
rmmod ksmbd
Limit SMB connections
linuxReduce maximum concurrent connections to minimize leak impact
# Configure in smb.conf: max connections = 100
🧯 If You Can't Patch
- Disable ksmbd SMB server functionality if not required
- Implement network controls to limit SMB connections from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check if ksmbd module is loaded: lsmod | grep ksmbdCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits: uname -r and check git history📡 Detection & Monitoring
Log Indicators:
- Kernel logs showing memory allocation failures
- ksmbd logs showing abnormal connection handling
Network Indicators:
- Unusual SMB connection patterns
- Repeated failed connection attempts
SIEM Query:
source="kernel" AND "ksmbd" AND ("memory" OR "connection")🔗 References
- https://git.kernel.org/stable/c/599271110c35f6b16e2e4e45b9fbd47ed378c982
- https://git.kernel.org/stable/c/6dd2645cf080a75be31fa66063c7332b291f46f0
- https://git.kernel.org/stable/c/77ffbcac4e569566d0092d5f22627dfc0896b553
- https://git.kernel.org/stable/c/787769c8cc50416af7b8b1a36e6bcd6aaa7680aa
- https://git.kernel.org/stable/c/7ddd69cd1338c6197e1b6b19cec60d99c8633e4f
- https://git.kernel.org/stable/c/baf664fc90a6139a39a58333e4aaa390c10d45dc
- https://git.kernel.org/stable/c/cd25e0d809531a67e9dd53b19012d27d2b13425f
