Steve French

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.52 **Description** The vulnerability is related to a use-after-free issue in the `smb2 set path size()` function. When `smb2 compound op()` is called with a valid `@cfile` and returns `-EINVAL`, the reference to `@cfile` is dropped, but the function may retry the operation without calling `cifs get writable path()` first. This can lead to a slab-use-after-free error, as seen in the KASAN splat when running `fstests` generic/013 against Windows Server 2022. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.52 or later. As a temporary workaround, consider disabling the `smb2 set path size()` function until a patch is available. However, this may have unintended consequences and should be carefully evaluated before implementation. Note: The provided information does not specify the exact vulnerable versions, but it mentions that the issue is fixed in Linux kernel version 6.6.52. Therefore, it is assumed that versions prior to 6.6.52 are vulnerable.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a null pointer dereference error in the ksmbd component of the Linux kernel. This error occurs when a reused connection is used for a binding session, and the `conn->binding` remains true, causing `generate preauth hash()` not to set `sess->Preauth HashValue`, which is then used as a material to create an encryption key in `ksmbd gen smb311 encryptionkey()`. This results in a null pointer dereference error from `crypto shash update()`. The vulnerability can lead to a kernel NULL pointer dereference. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the `smb2 async writev()` function in the Linux kernel, which is responsible for handling server re-repick on subrequest retry. When a subrequest is marked for needing retry, `netfs` will call `cifs prepare write()`, which makes `cifs` repick the server for the operation before renegotiating credits. This can lead to misaccounting if a different server is selected. The problem manifests as a warning and may be triggered by running certain xfstests against an Azure server in multichannel mode. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.43 **Description** The issue is related to the ksmbd component in the Linux kernel, where the `may open()` function does not allow a directory to be opened with write access. However, some writing flags set by the client result in adding write access on the server, making ksmbd incompatible with the FUSE file system. The problem is resolved by discarding the write access when opening a directory. A list add corruption issue is also mentioned, with a kernel bug at `lib/list debug.c:26`. The call trace includes functions such as ` list add valid()`, `fuse finish open()`, and `smb2 open()`. **Recommendations** Update to Linux kernel version 6.6.43 or later to resolve the issue. As a temporary workaround, consider disabling the `ksmbd` component until a patch is available. Restrict access to the vulnerable `fuse` module to minimize the risk of exploitation. Avoid using the `smb2 open()` function in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A problem was found in the Linux Kernel related to the function `sess free buffer()` of the file `fs/cifs/sess.c` in the CIFS Handler component. This issue leads to a double free condition. The exploitation of this issue may allow an attacker to cause a denial of service. **Recommendations** Apply a patch to fix this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A potential double free issue during a failed mount has been resolved in the Linux kernel, specifically in the cifs component. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.