CVE-2026-23226
Published: 18 February 2026
Summary
CVE-2026-23226 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free vulnerability by requiring timely application of the kernel patch adding chann_lock to synchronize ksmbd_chann_list xarray accesses.
Prevents exposure by configuring the system to disable the ksmbd kernel module or restrict unnecessary SMB server capabilities consistent with least functionality requirements.
Implements memory protection mechanisms that mitigate exploitation of the use-after-free condition in the kernel's ksmbd multi-channel session handling.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
UAF in ksmbd SMB server enables remote authenticated exploitation for kernel RCE/priv esc (T1068) via remote service (T1210).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: add chann_lock to protect ksmbd_chann_list xarray ksmbd_chann_list xarray lacks synchronization, allowing use-after-free in multi-channel sessions (between lookup_chann_list() and ksmbd_chann_del). Adds rw_semaphore chann_lock to struct ksmbd_session and protects all xa_load/xa_store/xa_erase…
more
accesses.
Deeper analysisAI
CVE-2026-23226 is a use-after-free vulnerability in the Linux kernel's ksmbd module, which implements an SMB server. The issue arises from a lack of synchronization in the ksmbd_chann_list xarray, enabling a use-after-free condition during multi-channel sessions, specifically between lookup_chann_list() and ksmbd_chann_del() operations. Affected systems are those running vulnerable Linux kernel versions with ksmbd enabled. The vulnerability is rated with a CVSS v3.1 base score of 8.8 and is associated with CWE-416 (Use After Free).
A remote attacker with low privileges, such as an authenticated SMB user, can exploit this over the network with low complexity and no user interaction required. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially leading to arbitrary code execution, data corruption, or denial of service within the kernel context.
Kernel patch advisories address the issue by adding an rw_semaphore named chann_lock to struct ksmbd_session, which protects all xa_load, xa_store, and xa_erase accesses to the ksmbd_chann_list xarray. Relevant stable kernel commits include 36ef605c0395b94b826a8c8d6f2697071173de6e, 4c2ca31608521895dd742a43beca4b4d29762345, 4f3a06cc57976cafa8c6f716646be6c79a99e485, and e4a8a96a93d08570e0405cfd989a8a07e5b6ff33, available via git.kernel.org. Security practitioners should update to patched kernel versions to mitigate the risk.
Details
- CWE(s)