{"id":"CVE-2024-53186","summary":"ksmbd: fix use-after-free in SMB request handling","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in SMB request handling\n\nA race condition exists between SMB request handling in\n`ksmbd_conn_handler_loop()` and the freeing of `ksmbd_conn` in the\nworkqueue handler `handle_ksmbd_work()`. This leads to a UAF.\n- KASAN: slab-use-after-free Read in handle_ksmbd_work\n- KASAN: slab-use-after-free in rtlock_slowlock_locked\n\nThis race condition arises as follows:\n- `ksmbd_conn_handler_loop()` waits for `conn-\u003er_count` to reach zero:\n  `wait_event(conn-\u003er_count_q, atomic_read(&conn-\u003er_count) == 0);`\n- Meanwhile, `handle_ksmbd_work()` decrements `conn-\u003er_count` using\n  `atomic_dec_return(&conn-\u003er_count)`, and if it reaches zero, calls\n  `ksmbd_conn_free()`, which frees `conn`.\n- However, after `handle_ksmbd_work()` decrements `conn-\u003er_count`,\n  it may still access `conn-\u003er_count_q` in the following line:\n  `waitqueue_active(&conn-\u003er_count_q)` or `wake_up(&conn-\u003er_count_q)`\n  This results in a UAF, as `conn` has already been freed.\n\nThe discovery of this UAF can be referenced in the following PR for\nsyzkaller's support for SMB requests.","modified":"2026-04-02T12:22:59.988262Z","published":"2024-12-27T13:49:29.215Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/53xxx/CVE-2024-53186.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/96261adb998a3b513468b6ce17dbec76be5507d4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9a8c5d89d327ff58e9b2517f8a6afb4181d32c6e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a96f9eb7add30ba0fafcfe7b7aca090978196800"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f20b77f7897e6aab9ce5527e6016ad2be5d70a33"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/53xxx/CVE-2024-53186.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53186"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"18f06bacc197d4ac9b518ad1c69999bc3d83e7aa"},{"fixed":"a96f9eb7add30ba0fafcfe7b7aca090978196800"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e9dac92f4482a382e8c0fe1bc243da5fc3526b0c"},{"fixed":"f20b77f7897e6aab9ce5527e6016ad2be5d70a33"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ee426bfb9d09b29987369b897fe9b6485ac2be27"},{"fixed":"96261adb998a3b513468b6ce17dbec76be5507d4"},{"fixed":"9a8c5d89d327ff58e9b2517f8a6afb4181d32c6e"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"9fd3cde4628bcd3549ab95061f2bab74d2ed4f3b"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-53186.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}