Linux Kernel ksmbd SMB2 Logoff Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's ksmbd component, which implements the SMB3 protocol in kernel space. This vulnerability occurs in the session logoff handler, where the 'user' object of a session can be freed while still being accessed by another thread. This flaw can lead to kernel memory corruption and potentially allow arbitrary code execution in kernel context.

Impact

Exploitation of this vulnerability causes a use-after-free condition, leading to memory corruption and the possibility of executing arbitrary code within the kernel.

Reproduction

The vulnerability can be reproduced by sending a session logoff request while another thread is processing a normal request that uses the session's 'user' object. This can be achieved by binding a second connection to an existing session and then initiating the logoff, which frees the 'user' object without proper synchronization.

Remediation

The vulnerability has been fixed in the official Linux Git repository.