Linux Kernel ksmbd: Infinite loop via SMB2 message reset
CVE-2026-23220 Published on February 18, 2026
ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths
The problem occurs when a signed request fails smb2 signature verification
check. In __process_request(), if check_sign_req() returns an error,
set_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called.
set_smb2_rsp_status() set work->next_smb2_rcv_hdr_off as zero. By resetting
next_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain
is lost. Consequently, is_chained_smb2_message() continues to point to
the same request header instead of advancing. If the header's NextCommand
field is non-zero, the function returns true, causing __handle_ksmbd_work()
to repeatedly process the same failed request in an infinite loop.
This results in the kernel log being flooded with "bad smb2 signature"
messages and high CPU usage.
This patch fixes the issue by changing the return value from
SERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that
the processing loop terminates immediately rather than attempting to
continue from an invalidated offset.
Products Associated with CVE-2026-23220
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-23220 are published in Linux Kernel:
Affected Versions
Linux:- Version 943cebf9ea3415ddefcd670d24d8883e97ba3d60 and below fb3b66bd72deb5543addaefa67963b34fb163a7b is affected.
- Version be0f89d4419dc5413a1cf06db3671c9949be0d52 and below 5accdc5b7f28a81bbc5880ac0b8886e60c86e8c8 is affected.
- Version be0f89d4419dc5413a1cf06db3671c9949be0d52 and below f7b1c2f5642bbd60b1beef1f3298cbac81eb232c is affected.
- Version be0f89d4419dc5413a1cf06db3671c9949be0d52 and below 71b5e7c528315ca360a1825a4ad2f8ae48c5dc16 is affected.
- Version be0f89d4419dc5413a1cf06db3671c9949be0d52 and below 9135e791ec2709bcf0cda0335535c74762489498 is affected.
- Version be0f89d4419dc5413a1cf06db3671c9949be0d52 and below 010eb01ce23b34b50531448b0da391c7f05a72af is affected.
- Version 4b9b7ea1ffb1e34f01fa5726d0c184931b9ba565 is affected.
- Version 6.6 is affected.
- Before 6.6 is unaffected.
- Version 6.1.164, <= 6.1.* is unaffected.
- Version 6.6.125, <= 6.6.* is unaffected.
- Version 6.12.72, <= 6.12.* is unaffected.
- Version 6.18.11, <= 6.18.* is unaffected.
- Version 6.19.1, <= 6.19.* is unaffected.
- Version 7.0-rc1, <= * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.