目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CVE-2026-52996— ksmbd 在 Durable V2 打开时因 ClientGUID 不匹配导致持久 FD 泄漏漏洞

EPSS 0.19% · P9
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2026-52996 基础信息

漏洞信息

对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open ksmbd_lookup_fd_cguid() returns a ksmbd_file with its refcount incremented via ksmbd_fp_get(). parse_durable_handle_context() in the DURABLE_REQ_V2 case properly releases this reference on every path inside the ClientGUID-match branch, either by calling ksmbd_put_durable_fd() or by transferring ownership to dh_info->fp for a successful reconnect. However, when an entry exists in the global file table with the same CreateGuid but a different ClientGUID, the code simply falls through to the new-open path without dropping the reference obtained from ksmbd_lookup_fd_cguid(). Per MS-SMB2 section 3.3.5.9.10 ("Handling the SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 Create Context"), the server MUST locate an Open whose Open.CreateGuid matches the request's CreateGuid AND whose Open.ClientGuid matches the ClientGuid of the connection that received the request. If no such Open is found, the server MUST continue with the normal open execution phase. A CreateGuid hit with a ClientGUID mismatch is therefore the "Open not found" case: proceeding with a new open is correct, but the reference obtained purely as a side effect of the lookup must not be leaked. Repeated requests that hit this mismatch pin global_ft entries, prevent __ksmbd_close_fd() from ever running for the corresponding files, and defeat the durable scavenger, leading to long-lived resource leaks. Release the reference in the mismatch path and clear dh_info->fp so subsequent logic does not mistake a non-matching lookup result for a reconnect target.
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
N/A
来源: 美国国家漏洞数据库 NVD

受影响产品

厂商产品影响版本CPE订阅
LinuxLinux 8df4bcdb0a4232192b2445256c39b787d58ef14d ~ 407b6e699ba8b45b72cc265eed8a1bc8a7191609 -
LinuxLinux 6.9 -

二、漏洞 CVE-2026-52996 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2026-52996 的情报信息

登录查看更多情报信息。

CVE-2026-52996 补丁与修复 (5)

同批安全公告 · Linux · 2026-06-24 · 共 219 条

CVE-2026-530469.8 CRITICALksmbd Qualcomm 加密引擎异步加密 UAF 漏洞
CVE-2026-530889.8 CRITICALBcmgenet 驱动 bcmgenet_put_txcb 偏移错误漏洞
CVE-2026-530109.8 CRITICALksmbd 内核模块 SMB2 打开会话持久重连时存在使用之后释放漏洞
CVE-2026-530069.8 CRITICALIPv6 icmpv6_rcv() 中可能的 UAF 漏洞
CVE-2026-530869.8 CRITICALNet: BCMGenet 修复竞态超时处理漏洞
CVE-2026-530029.8 CRITICALnetfilter conntrack移除sprintf使用
CVE-2026-529939.8 CRITICALTIPC tipc_buf_append() 双重释放漏洞
CVE-2026-529899.8 CRITICALnvmet-tcp 传播 nvmet_tcp_build_pdu_iovec() 错误到调用者
CVE-2026-529869.8 CRITICALnetfilter nf_conntrack_sip 漏洞
CVE-2026-529829.8 CRITICALRealtek RTL8150 网卡 use-after-free 漏洞
CVE-2026-530459.8 CRITICALTegra124 EMC dll_change 检查漏洞
CVE-2026-529559.8 CRITICALlibceph crush_decode() 潜在越界访问漏洞
CVE-2026-530499.8 CRITICALGFS2 文件系统日志锁定缺失漏洞
CVE-2026-529149.8 CRITICALbatman-adv 片段重组长度计算漏洞
CVE-2026-529319.8 CRITICALbatman-adv tp_meter 未初始化变量使用漏洞
CVE-2026-529249.8 CRITICALsctp COOKIE-ECHO处理过时导致outqueue清理
CVE-2026-530559.8 CRITICALHisilicon SEC2 使用后释放漏洞
CVE-2026-530439.1 CRITICALOCFS2 DLM 队列区域数验证缺陷
CVE-2026-529999.1 CRITICALNetfilter: nfnetlink_osf 匹配选项越界读漏洞
CVE-2026-529589.1 CRITICALlibceph osdmap_decode() 越界访问漏洞

显示前 20 条,共 219 条。 查看全部 → →

IV. Related Vulnerabilities

V. Comments for CVE-2026-52996

暂无评论


发表评论