CVE-2026-23226 went public on 18 February 2026. It is a use-after-free (CWE-416) in ksmbd, the SMB3 server that runs inside the Linux kernel itself (under fs/smb/server). Severity is rated high. NVD gives it a CVSS 3.1 score of 7.8, and the kernel.org CNA pushes that to 8.8 because it treats the bug as network-exploitable.
What ksmbd is and where the flaw lives
ksmbd is the in-kernel SMB server (Windows’ file-sharing protocol), a fast alternative to the classic user-space Samba. When a client negotiates a session with SMB3 multichannel, several network connections share a single session and spread traffic across multiple channels.
The bug sits in the channel list ksmbd_chann_list, which is built as an xarray. That structure was missing proper synchronization. Between looking up a channel with lookup_chann_list() and deleting it with ksmbd_chann_del(), a race condition stayed open. When two connections share the same session over SMB3 multichannel, the kernel can wind up reading a channel structure that has already been freed, touching memory through a dangling pointer.
Who is affected and how serious it is
The flaw hits Linux systems that have ksmbd enabled and expose an SMB3 server with multichannel turned on. It leaves alone anyone running user-space Samba, and systems where the ksmbd module is not loaded or the service is not running.
Vulnerable ranges run from Linux 6.3 through 6.18.10, plus 6.19.0 (with fixes also backported to earlier stable branches). A kernel use-after-free, at worst, leads to memory corruption that can open the door to code execution or denial of service. The gap between NVD’s 7.8 (local vector) and kernel.org’s 8.8 (network vector) comes down to one thing: since ksmbd is a network-facing service, a remote authenticated attacker could trigger the condition.
Mitigation and patch
The fix landed in a commit by Greg Kroah-Hartman on 16 February 2026. The patch adds a reader-writer semaphore chann_lock that guards every operation on the ksmbd_chann_list xarray and closes the race window between channel lookup and deletion.
What to do:
- Update the kernel to a version that carries the fix (6.18.11 or later within its series, plus the matching backports in stable and LTS branches). Apply your distribution’s security updates as soon as they show up.
- If you cannot patch right away and do not need ksmbd, unload the module or stop the service, or disable SMB3 multichannel in the server config to shrink what is exposed.
- Restrict access to the SMB port (TCP/445) to trusted networks with a firewall.
If you run a ksmbd-based file server, treat this as a priority update. Isolating services and applying least privilege (for example with the modules we cover in our SELinux and AppArmor guide) helps contain the damage from bugs like this, though it is no substitute for the patch.
You can track kernel support status and versions on our Linux kernel page.
Source
- NVD — NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2026-23226
- CVE detail: https://nvd.nist.gov/vuln/detail/CVE-2026-23226