CVE-2026-52944 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE FSCTL_SET_SPARSE in fsctl_set_sparse() modifies the file's sparse attribute and saves it through xattr without any permission checks. This exposes two issues: 1) A client on a read-only share can change the sparse attribute on files it opened, even though the share is read-only. Other FSCTL write operations already check test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE), but FSCTL_SET_SPARSE does not. 2) Even on writable shares, clients without FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES access should not modify the sparse attribute. Similar handle-level checks exist in other functions but are missing here. Add both share-level writable check and per-handle access check. Use goto out on error to avoid leaking file references.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00219.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

References

Link	Providers
https://git.kernel.org/stable/c/3127a884525dc8ca4def73254bfcd3ccef0bf812
https://git.kernel.org/stable/c/aef151bcfa494bfe983669de2726734b534adb73
https://git.kernel.org/stable/c/cc57232cae23c0df91b4a59d0f519141ce9b5b02
https://git.kernel.org/stable/c/de9eb0b44fa9123170e6245b49638e0e453c10f8

History

Wed, 24 Jun 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE FSCTL_SET_SPARSE in fsctl_set_sparse() modifies the file's sparse attribute and saves it through xattr without any permission checks. This exposes two issues: 1) A client on a read-only share can change the sparse attribute on files it opened, even though the share is read-only. Other FSCTL write operations already check test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE), but FSCTL_SET_SPARSE does not. 2) Even on writable shares, clients without FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES access should not modify the sparse attribute. Similar handle-level checks exist in other functions but are missing here. Add both share-level writable check and per-handle access check. Use goto out on error to avoid leaking file references.
Title		ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3127a884525dc8ca4def73254bfcd3ccef0bf812 https://git.kernel.org/stable/c/aef151bcfa494bfe983669de2726734b534adb73 https://git.kernel.org/stable/c/cc57232cae23c0df91b4a59d0f519141ce9b5b02 https://git.kernel.org/stable/c/de9eb0b44fa9123170e6245b49638e0e453c10f8

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T09:59:09.149Z

Updated: 2026-06-24T09:59:09.149Z

Reserved: 2026-06-09T07:44:35.371Z

Link: CVE-2026-52944

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object