External risk intelligence

Linux Kernel SMB Client UAF and Double Free Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-45972

A flaw in the Linux kernel's SMB client can lead to memory corruption, potentially causing instability or compromise. This vulnerability is relevant if the SMB client functionality is exposed or used in your environment. The issue is resolved in newer kernel versions.

2Halo Surface Signal

Use After Free

Linux Kernel

6.1.163 to before 6.1.1656.6.124 to before 6.6.1286.12.70 to before 6.12.756.18.10 to before 6.18.146.19.1 to before 6.19.46.19

External exposure likelihood

Halo Surface Signal score for CVE-2026-45972

This vulnerability exists in the Linux kernel's SMB client implementation. While SMB clients are used across various systems, they are typically internal or controlled components. Public internet exposure of an SMB client is uncommon and generally restricted to specific, non-standard use cases, as SMB is traditionally designed for private, internal network communication.

PCI scan relevance

PCI Relevance for CVE-2026-45972

Yes

CVE-2026-45972 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical vulnerability in the Linux kernel's SMB client affects file handling, potentially leading to crashes or data corruption. It is relevant for PCI compliance due to its severe impact and network-exploitable nature.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical vulnerability found in the Linux kernel's SMB client component. The issue, which has been resolved, could potentially lead to system instability or compromise if exploited. The main concern is to confirm if this specific kernel functionality is in use within our environment.

  • A Linux kernel flaw could impact system stability.
  • Understand its use to confirm relevance and exposure.
  • Verify if our Linux kernel implementation is affected.

Attack Path

How an attacker could exploit the issue

An attacker could leverage this vulnerability by initiating a network connection to a vulnerable Linux kernel's SMB client. This exposure allows them to interact with the `smb2_open_file()` function, triggering a race condition. If successful, this could lead to memory corruption, potentially allowing an attacker to execute arbitrary code.

  • Entry condition: Network access to the SMB client.
  • Trigger point: Initiating an SMB2 open file operation.
  • Resulting risk: Memory corruption, code execution.

Live Threat

Current exploitation, exposure, and threat context

The Linux kernel's SMB client component, when handling SMB2 open file operations, could be susceptible to a use-after-free or double-free vulnerability. This could occur under specific error conditions during the SMB2_open() process when certain retry mechanisms are involved.

  • Kernel SMB client memory corruption.
  • Error handling in file open operations.
  • Potential system instability or crashes.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in the Linux kernel's SMB client impacts systems utilizing this functionality. Identifying affected systems, assessing their reachability and business criticality, and locating the accountable owner are the immediate priorities. Remediation planning should then be risk-based, potentially involving coordination with vendors if applicable.

  • Linux infrastructure and platform teams own resolution.
  • Verify SMB client reachability and business criticality.
  • Plan remediation based on identified risk.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the Linux kernel's SMB client?

The Linux kernel SMB client allows a computer to access files and services hosted on Windows-based or Samba-based file servers. It acts as the bridge that enables a Linux system to mount network drives, making remote file storage appear as if it were a local folder on your computer's own filesystem.

What is the vulnerability in CVE-2026-45972?

This vulnerability is a memory management flaw categorized as CWE-416, also known as a use-after-free. It occurs in the kernel's SMB2 file-opening process. When an error triggers a retry mechanism, the software fails to properly clear certain data structures, leading to a state where the kernel may incorrectly access or attempt to delete memory that it has already released, potentially causing system crashes.

How can an attacker trigger this bug?

The vulnerability is triggered during a network interaction. An attacker would need to initiate a connection to the system acting as an SMB client and then trigger a specific failure condition during the file-opening process. It does not occur during successful file operations; the flaw is specifically tied to the error-handling path within the retry logic of the SMB2_open() function.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal identifies this risk as unlikely for most setups. While the flaw is network-accessible, the SMB client is typically designed for private, internal networks. Public internet exposure of a Linux machine acting as an SMB client is uncommon, so systems restricted to internal communications are generally at much lower risk than those with broad, uncontrolled network access.

What should I do if I run affected Linux kernels?

First, identify which systems in your environment are running the affected kernel versions. Once you have an inventory, coordinate with your infrastructure or platform teams to prioritize updates. Since this involves the core kernel, remediation usually requires patching the operating system and performing a system restart to apply the fix for this specific memory handling flaw.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified