{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23226", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.987Z", "datePublished": "2026-02-18T14:53:29.562Z", "dateUpdated": "2026-05-11T22:02:45.778Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:02:45.778Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: add chann_lock to protect ksmbd_chann_list xarray\n\nksmbd_chann_list xarray lacks synchronization, allowing use-after-free in\nmulti-channel sessions (between lookup_chann_list() and ksmbd_chann_del).\n\nAdds rw_semaphore chann_lock to struct ksmbd_session and protects\nall xa_load/xa_store/xa_erase accesses."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/mgmt/user_session.c", "fs/smb/server/mgmt/user_session.h", "fs/smb/server/smb2pdu.c"], "versions": [{"version": "1d9c4172110e645b383ff13eee759728d74f1a5d", "lessThan": "4c2ca31608521895dd742a43beca4b4d29762345", "status": "affected", "versionType": "git"}, {"version": "1d9c4172110e645b383ff13eee759728d74f1a5d", "lessThan": "e4a8a96a93d08570e0405cfd989a8a07e5b6ff33", "status": "affected", "versionType": "git"}, {"version": "1d9c4172110e645b383ff13eee759728d74f1a5d", "lessThan": "36ef605c0395b94b826a8c8d6f2697071173de6e", "status": "affected", "versionType": "git"}, {"version": "1d9c4172110e645b383ff13eee759728d74f1a5d", "lessThan": "4f3a06cc57976cafa8c6f716646be6c79a99e485", "status": "affected", "versionType": "git"}, {"version": "b1caecbf34b8c8260d851ec4efde71f3694460b7", "status": "affected", "versionType": "git"}, {"version": "91bbf9cb2387a0d76322e9a343bc6bc160f66b3f", "status": "affected", "versionType": "git"}, {"version": "853c416710b075153c1e1421e099ffbe5dac68ce", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/mgmt/user_session.c", "fs/smb/server/mgmt/user_session.h", "fs/smb/server/smb2pdu.c"], "versions": [{"version": "6.3", "status": "affected"}, {"version": "0", "lessThan": "6.3", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.11", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.1", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.18.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.19.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.145"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.29"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2.16"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4c2ca31608521895dd742a43beca4b4d29762345"}, {"url": "https://git.kernel.org/stable/c/e4a8a96a93d08570e0405cfd989a8a07e5b6ff33"}, {"url": "https://git.kernel.org/stable/c/36ef605c0395b94b826a8c8d6f2697071173de6e"}, {"url": "https://git.kernel.org/stable/c/4f3a06cc57976cafa8c6f716646be6c79a99e485"}], "title": "ksmbd: add chann_lock to protect ksmbd_chann_list xarray", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "AEB10F82-E8B1-4BB9-B91C-78490070AF53", "versionEndExcluding": "6.18.11", "versionStartIncluding": "6.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE543C0D-A06B-414F-A403-CB1E088F261E", "versionEndExcluding": "6.19.1", "versionStartIncluding": "6.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: add chann_lock to protect ksmbd_chann_list xarray\n\nksmbd_chann_list xarray lacks synchronization, allowing use-after-free in\nmulti-channel sessions (between lookup_chann_list() and ksmbd_chann_del).\n\nAdds rw_semaphore chann_lock to struct ksmbd_session and protects\nall xa_load/xa_store/xa_erase accesses."}, {"lang": "es", "value": "Se ha resuelto la siguiente vulnerabilidad en el kernel de Linux:\n\nksmbd: a\u00f1adir chann_lock para proteger ksmbd_chann_list xarray\n\nksmbd_chann_list xarray carece de sincronizaci\u00f3n, permitiendo uso despu\u00e9s de liberaci\u00f3n en sesiones multicanal (entre lookup_chann_list() y ksmbd_chann_del).\n\nA\u00f1ade el sem\u00e1foro rw_semaphore chann_lock a la estructura ksmbd_session y protege todos los accesos xa_load/xa_store/xa_erase."}], "id": "CVE-2026-23226", "lastModified": "2026-04-02T15:16:23.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-18T16:22:32.363", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/36ef605c0395b94b826a8c8d6f2697071173de6e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4c2ca31608521895dd742a43beca4b4d29762345"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4f3a06cc57976cafa8c6f716646be6c79a99e485"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e4a8a96a93d08570e0405cfd989a8a07e5b6ff33"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ksmbd: add chann_lock to protect ksmbd_chann_list xarray", "id": "2440675", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440675"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-23226", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23226\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23226\nhttps://lore.kernel.org/linux-cve-announce/2026021807-CVE-2026-23226-438c@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,e4a8a96a93d08570e0405cfd989a8a07e5b6ff33)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,36ef605c0395b94b826a8c8d6f2697071173de6e)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.11,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.1,6.20.0)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-15T15:47:48.552099+00:00", "value": {"mitigation_remediation": ["Upgrade the system kernel to a version that includes the ksmbd chann_lock fix (e.g., the kernel commits referenced in the advisory); reboot after the update.", "If an immediate kernel upgrade is not possible, disable the ksmbd SMB service or restrict it to trusted users so that no SMB channels can be created.", "Monitor system logs for kernel panic or abnormal ksmbd activity and configure alerts for memory\u2011corruption or use\u2011after\u2011free indicators."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Linux kernel, specifically the ksmbd SMB daemon present in all distributions that ship a kernel containing this module. No specific version range is provided, but the issue was resolved in recent kernel commits, so any kernel built from those commits onward is protected.", "description_and_impact": "The Linux kernel\u2019s SMB daemon, ksmbd, contains an unsynchronized access to the ksmbd_chann_list xarray. When a channel is looked up with lookup_chann_list() and then deleted with ksmbd_chann_del(), the xarray may be freed while the lookup still holds a reference, causing a use\u2011after\u2011free. This memory corruption can allow an attacker who can influence SMB channel creation to execute arbitrary code in kernel space, potentially escalating privileges or causing a kernel panic. The fix introduces a read\u2011write semaphore, chann_lock, to serialize all xa_load/xa_store/xa_erase operations and eliminate the race.", "risk_and_exploitability": "The flaw carries a high CVSS score of 8.8 yet has an EPSS score below 1%, indicating a low current exploitation probability. It is not listed in the CISA KEV catalog. Inferred from the affected component, the attack vector is likely remote via SMB or local through privileged processes that can create SMB channels. Because there is no official workaround, the only viable mitigation is to apply the kernel update or disable the affected service."}}}}, "created": "2026-02-19T10:11:45.919124+00:00", "updated": "2026-04-15T17:30:10.417262+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}