CVE-2026-53271
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
In the Linux kernel, a NULL pointer dereference vulnerability was found in the ksmbd module. The smb2_oplock_break_noti() and smb2_lease_break_noti() functions read opinfo->conn without proper protection, which can be exploited by a remote attacker to trigger a kernel oops via an SMB2 LOGOFF request.
Risk Assessment
A remote attacker can cause a kernel oops by sending a crafted SMB2 LOGOFF request, leading to denial of service of the ksmbd service and potential loss of access to shared resources.
Recommendation
Immediately update the Linux kernel to a version containing the fix that adds READ_ONCE() and a NULL check before using opinfo->conn in the oplock/lease break notification functions.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers smb2_oplock_break_noti() and smb2_lease_break_noti() read opinfo->conn into a local with neither READ_ONCE() nor a NULL check. Both run from oplock_break() after opinfo_get_list() has dropped ci->m_lock, so a concurrent SMB2 LOGOFF (session_fd_check()) can set op->conn = NULL under ci->m_lock within that window. ksmbd_conn_r_count_inc(conn) then writes through NULL at offset 0xc4 -- a remotely triggerable oops. Guard both reads the way compare_guid_key() already does: read opinfo->conn with READ_ONCE() and return early if it is NULL, before allocating the work struct so nothing leaks. A NULL conn means the client is gone and the break is moot, so return 0; oplock_break() treats that as success and runs the normal teardown.

