Updated: 2026-02-26
Description:
In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix refcount leak when invalid session is found on session lookup When a session is found but its state is not SMB2_SESSION_VALID, It indicates that no valid session was found, but it is missing to decrement the reference count acquired by the session lookup, which results in a reference count leak. This patch fixes the issue by explicitly calling ksmbd_user_session_put to release the reference to the session. A flaw was found in the Linux kernel's ksmbd component. This vulnerability allows a local authenticated user to cause a system to become unavailable, leading to a Denial of Service (DoS). The issue occurs due to a missing step in managing system resources when an invalid network session is detected, causing a resource to be held indefinitely.
CVSS3: 5.5
| OS | Vendor version | Errata |
|---|---|---|
| Debian 12 | 6.1.162-1 | DSA-6127-1 |
| OS | Original kernel version | State |
|---|---|---|
| Debian 12 | |
Planned |