APPLIED[HWE-6.17]/Cmnt: [SRU][Q][PATCH 0/1] CVE-2026-43379
Stefan Bader
stefan.bader at canonical.com
Tue Jul 14 13:47:02 UTC 2026
On 23/06/2026 05:34, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-43379
>
> [ Impact ]
>
> In ksmbd, smb_lazy_parent_lease_break_close() accesses the opinfo pointer
> obtained via rcu_dereference(fp->f_opinfo) after rcu_read_unlock() has already
> been called. This creates a race condition where a concurrent writer can free
> the memory between the unlock and the subsequent pointer dereferences
> (opinfo->is_lease, etc.), leading to a use-after-free. As ksmbd is an in-kernel
> SMB server processing network requests, this flaw could be triggered remotely
> to corrupt memory or crash the system.
>
> [ Fix ]
>
> questing: clean cherry-pick
>
> [ Test Plan ]
>
> Boot tested.
>
> [ Where Problems Could Occur ]
>
> A regression in this fix could affect the ksmbd lease break handling path,
> potentially causing incorrect lease state transitions or new locking issues
> when clients access shared files concurrently over SMB.
>
Applied to noble:linux-hwe-6.17/hwe-6.17-next. Thanks.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/99ffd898/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/99ffd898/attachment-0001.sig>
More information about the kernel-team
mailing list