HOMEVULNERABILITIESCVE-2026-53198
HIGH

CVE-2026-53198

Published: June 25, 2026· Updated: Jun 30, 2026

8.8
CVSS v3.1
EPSS:0.18%probability of exploitation in 30 daysPercentile:7.8th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL

A deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on

conn->async_requests via setup_async_work(), with cancel_fn =

smb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock.

When the request is cancelled, the worker frees the file_lock with

locks_free_lock() and takes the cancelled early-exit, which "goto out"s and never

reaches release_async_work() -- the only site that unlinks the work from

conn->async_requests and clears cancel_fn/cancel_argv. The work therefore stays

matchable on async_requests with a live cancel_fn pointing at the freed file_lock,

until connection teardown finally runs release_async_work().

smb2_cancel() fires cancel_fn unconditionally with no state guard, so a second

SMB2_CANCEL for the same AsyncId, arriving in that window, re-runs

smb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free:

BUG: KASAN: slab-use-after-free in __locks_delete_block

__locks_delete_block

locks_delete_block

ksmbd_vfs_posix_lock_unblock

smb2_remove_blocked_lock

smb2_cancel <- 2nd SMB2_CANCEL fires cancel_fn

handle_ksmbd_work

Allocated by ...: locks_alloc_lock <- smb2_lock

Freed by ...: locks_free_lock <- smb2_lock (cancelled branch)

... cache file_lock_cache of size 192

Reproduced on mainline with KASAN by an authenticated SMB client.

Skip a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback

cannot be fired a second time.

NVD Source

Technical Analysis

CVE-2026-53198 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 8.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (6)

Quick Facts

CVE IDCVE-2026-53198
CVSS Score8.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.18%
PublishedJun 25, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-53198 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.