{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23228", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.988Z", "datePublished": "2026-02-18T14:53:31.882Z", "dateUpdated": "2026-05-11T22:02:48.098Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:02:48.098Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()\n\nOn kthread_run() failure in ksmbd_tcp_new_connection(), the transport is\nfreed via free_transport(), which does not decrement active_num_conn,\nleaking this counter.\n\nReplace free_transport() with ksmbd_tcp_disconnect()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/transport_tcp.c"], "versions": [{"version": "4210c3555db4b38bade92331b153e583261f05f9", "lessThan": "6dd2645cf080a75be31fa66063c7332b291f46f0", "status": "affected", "versionType": "git"}, {"version": "d5d7847e57ac69fa99c18b363a34419bcdb5a281", "lessThan": "7ddd69cd1338c6197e1b6b19cec60d99c8633e4f", "status": "affected", "versionType": "git"}, {"version": "0d0d4680db22eda1eea785c47bbf66a9b33a8b16", "lessThan": "787769c8cc50416af7b8b1a36e6bcd6aaa7680aa", "status": "affected", "versionType": "git"}, {"version": "0d0d4680db22eda1eea785c47bbf66a9b33a8b16", "lessThan": "baf664fc90a6139a39a58333e4aaa390c10d45dc", "status": "affected", "versionType": "git"}, {"version": "0d0d4680db22eda1eea785c47bbf66a9b33a8b16", "lessThan": "cd25e0d809531a67e9dd53b19012d27d2b13425f", "status": "affected", "versionType": "git"}, {"version": "0d0d4680db22eda1eea785c47bbf66a9b33a8b16", "lessThan": "599271110c35f6b16e2e4e45b9fbd47ed378c982", "status": "affected", "versionType": "git"}, {"version": "0d0d4680db22eda1eea785c47bbf66a9b33a8b16", "lessThan": "77ffbcac4e569566d0092d5f22627dfc0896b553", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/transport_tcp.c"], "versions": [{"version": "6.2", "status": "affected"}, {"version": "0", "lessThan": "6.2", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.201", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.164", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.125", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.72", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.11", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.1", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.91", "versionEndExcluding": "5.15.201"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.9", "versionEndExcluding": "6.1.164"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.125"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.12.72"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.18.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.19.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6dd2645cf080a75be31fa66063c7332b291f46f0"}, {"url": "https://git.kernel.org/stable/c/7ddd69cd1338c6197e1b6b19cec60d99c8633e4f"}, {"url": "https://git.kernel.org/stable/c/787769c8cc50416af7b8b1a36e6bcd6aaa7680aa"}, {"url": "https://git.kernel.org/stable/c/baf664fc90a6139a39a58333e4aaa390c10d45dc"}, {"url": "https://git.kernel.org/stable/c/cd25e0d809531a67e9dd53b19012d27d2b13425f"}, {"url": "https://git.kernel.org/stable/c/599271110c35f6b16e2e4e45b9fbd47ed378c982"}, {"url": "https://git.kernel.org/stable/c/77ffbcac4e569566d0092d5f22627dfc0896b553"}], "title": "smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B4CE856B-671A-4621-8864-5561EACEB2A7", "versionEndExcluding": "5.15.201", "versionStartIncluding": "5.15.91", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "93CFF50A-DA46-44D1-8D94-5C693DC7ABCD", "versionEndExcluding": "6.1.164", "versionStartIncluding": "6.1.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "87706C18-D700-417C-875D-10399E30077D", "versionEndExcluding": "6.6.125", "versionStartIncluding": "6.2.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1A7E514-FB3C-4B6B-8046-07D5A8F04644", "versionEndExcluding": "6.12.72", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7099A9EC-3D54-4424-BF01-7224EF88C79C", "versionEndExcluding": "6.18.11", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE543C0D-A06B-414F-A403-CB1E088F261E", "versionEndExcluding": "6.19.1", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:-:*:*:*:*:*:*", "matchCriteriaId": "3ADCCCEE-143A-4B48-9B2A-0CB97BD385DE", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc6:*:*:*:*:*:*", "matchCriteriaId": "4AB8D555-648E-4F2F-98BD-3E7F45BD12A8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc7:*:*:*:*:*:*", "matchCriteriaId": "C64BDD9D-C663-4E75-AE06-356EDC392B82", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc8:*:*:*:*:*:*", "matchCriteriaId": "26544390-88E4-41CA-98BF-7BB1E9D4E243", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()\n\nOn kthread_run() failure in ksmbd_tcp_new_connection(), the transport is\nfreed via free_transport(), which does not decrement active_num_conn,\nleaking this counter.\n\nReplace free_transport() with ksmbd_tcp_disconnect()."}, {"lang": "es", "value": "Se ha resuelto la siguiente vulnerabilidad en el kernel de Linux:\n\nsmb: servidor: corregir fuga de active_num_conn en ksmbd_tcp_new_connection()\n\nEn caso de fallo de kthread_run() en ksmbd_tcp_new_connection(), se libera el transporte a trav\u00e9s de free_transport(), lo que no decrementa active_num_conn, fugando este contador.\n\nReemplazar free_transport() con ksmbd_tcp_disconnect()."}], "id": "CVE-2026-23228", "lastModified": "2026-03-18T13:27:53.357", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-18T16:22:32.580", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/599271110c35f6b16e2e4e45b9fbd47ed378c982"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6dd2645cf080a75be31fa66063c7332b291f46f0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/77ffbcac4e569566d0092d5f22627dfc0896b553"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/787769c8cc50416af7b8b1a36e6bcd6aaa7680aa"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7ddd69cd1338c6197e1b6b19cec60d99c8633e4f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/baf664fc90a6139a39a58333e4aaa390c10d45dc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cd25e0d809531a67e9dd53b19012d27d2b13425f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()", "id": "2440657", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440657"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-23228", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23228\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23228\nhttps://lore.kernel.org/linux-cve-announce/2026021807-CVE-2026-23228-647c@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,787769c8cc50416af7b8b1a36e6bcd6aaa7680aa)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,baf664fc90a6139a39a58333e4aaa390c10d45dc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,cd25e0d809531a67e9dd53b19012d27d2b13425f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,599271110c35f6b16e2e4e45b9fbd47ed378c982)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.125,6.6.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.72,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.11,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.1,6.19.*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-15T16:15:52.888596+00:00", "value": {"mitigation_remediation": ["Update to the latest Linux kernel version that includes the patch replacing free_transport() with ksmbd_tcp_disconnect(), which decrements active_num_conn correctly.", "Configure the SMB server or underlying system to limit the maximum number of concurrent SMB connections, thereby preventing potential resource exhaustion if the counter continues to rise.", "Continuously monitor system logs for repeated kthread_run failures and active connection count anomalies, and investigate any configuration or application that may be causing persistent failures."], "summary": {"action": "Patch", "impact": "Denial of Service via Active Connections Counter Leak"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the Linux kernel\u2019s SMB server (ksmbd) across all kernel versions that shipped the buggy implementation, including the 6.2 release candidates (rc6, rc7, rc8) and older kernels. Vendors affected are the generic Linux kernel maintainers; any distribution using a kernel before the fix will be impacted.", "description_and_impact": "The Linux kernel SMB (ksmbd) server has a memory leak that occurs when the function ksmbd_tcp_new_connection() fails during kthread_run(). In this scenario, the transport object is freed with free_transport(), but the active_num_conn counter is not decremented, causing the counter to grow unchecked. This bug falls under CWE\u2011401 (Memory Leak) and can lead to incorrect accounting of active SMB connections. If left unresolved, the server may report an inflated number of active connections, potentially refusing new connections or exhausting system resources, which manifests as a denial\u2011of\u2011service condition for legitimate clients.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity, and the EPSS score is less than 1%, implying a very low probability of exploitation and no publicly reported attacks (not listed in the CISA KEV catalog). Based on the description, it is inferred that a malicious SMB client could trigger the failure path, giving attackers a remote attack vector, but no detailed exploitation steps are provided beyond inducing resource exhaustion. Consequently, the main risk is a Denial of Service if an attacker repeatedly induces kthread_run failures, causing the active connection counter to inflate and the server to refuse new connections."}}}}, "created": "2026-02-19T10:11:44.355110+00:00", "updated": "2026-04-15T17:30:10.404136+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}