9.8

CVE-2026-53046

ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine

ksmbd_crypt_message() sets a NULL completion callback on AEAD requests
and does not handle the -EINPROGRESS return code from async hardware
crypto engines like the Qualcomm Crypto Engine (QCE). When QCE returns
-EINPROGRESS, ksmbd treats it as an error and immediately frees the
request while the hardware DMA operation is still in flight. The DMA
completion callback then dereferences freed memory, causing a NULL
pointer crash:

  pc : qce_skcipher_done+0x24/0x174
  lr : vchan_complete+0x230/0x27c
  ...
  el1h_64_irq+0x68/0x6c
  ksmbd_free_work_struct+0x20/0x118 [ksmbd]
  ksmbd_exit_file_cache+0x694/0xa4c [ksmbd]

Use the standard crypto_wait_req() pattern with crypto_req_done() as
the completion callback, matching the approach used by the SMB client
in fs/smb/client/smb2ops.c. This properly handles both synchronous
engines (immediate return) and async engines (-EINPROGRESS followed
by callback notification).
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Version < 57b47231055b431ed0a1a55f33cac32981564405
Status affected
Version e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Version < cc2da381875d4a67026e4c8feb3dba51a2a2d1bc
Status affected
Version e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Version < 8fcefe840fa8c14ce667768e5b043286ac3bbcbe
Status affected
Version e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Version < 8ef183216feaa24b66b940510d8b68f680eb56e9
Status affected
Version e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Version < 7164b3953cefd540e7ebca828c793bc6869cfbc4
Status affected
Version e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Version < b46aa129fa2807bfe1545fe74d9295d53c51520b
Status affected
Version e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Version < 3e298897f41c61450c2e7a4f457e8b2485eb35b3
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 5.15
Status affected
Version 0
Version < 5.15
Status unaffected
Version <= 5.15.*
Version 5.15.209
Status unaffected
Version <= 6.1.*
Version 6.1.175
Status unaffected
Version <= 6.6.*
Version 6.6.141
Status unaffected
Version <= 6.12.*
Version 6.12.91
Status unaffected
Version <= 6.18.*
Version 6.18.33
Status unaffected
Version <= 7.0.*
Version 7.0.10
Status unaffected
Version <= *
Version 7.1
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.53% 0.408
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/57b47231055b431ed0a1a55f33cac32981564405
https://git.kernel.org/stable/c/cc2da381875d4a67026e4c8feb3dba51a2a2d1bc
https://git.kernel.org/stable/c/8fcefe840fa8c14ce667768e5b043286ac3bbcbe
https://git.kernel.org/stable/c/8ef183216feaa24b66b940510d8b68f680eb56e9
https://git.kernel.org/stable/c/7164b3953cefd540e7ebca828c793bc6869cfbc4
https://git.kernel.org/stable/c/b46aa129fa2807bfe1545fe74d9295d53c51520b
https://git.kernel.org/stable/c/3e298897f41c61450c2e7a4f457e8b2485eb35b3