CVE-2024-26980 in Linux
Summary
by MITRE • 05/01/2024
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf
If ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size validation could be skipped. if request size is smaller than sizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in smb2_allocate_rsp_buf(). This patch allocate response buffer after decrypting transform request. smb3_decrypt_req() will validate transform request size and avoid slab-out-of-bound in smb2_allocate_rsp_buf().
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/06/2026
The vulnerability CVE-2024-26980 represents a critical slab out-of-bounds read condition within the Linux kernel's ksmbd implementation, specifically affecting the smb2_allocate_rsp_buf function. This issue manifests when processing SMB2 transform protocol requests where the ProtocolId field contains the SMB2_TRANSFORM_PROTO_NUM value. The flaw arises from an improper sequence of operations during request processing, creating a window where validation checks can be bypassed. When a maliciously crafted SMB2 request with a transform protocol identifier is processed, the system fails to validate the request size against the expected structure size, leading to potential memory corruption. The vulnerability is particularly concerning as it operates at the kernel level within the SMB2 protocol handling subsystem, which is commonly exposed to network-based attacks.
The technical root cause of this vulnerability lies in the improper ordering of cryptographic operations and size validation within the SMB2 protocol processing pipeline. When the kernel encounters a request with SMB2_TRANSFORM_PROTO_NUM as the ProtocolId, it should first decrypt the transform request before performing any size validation. However, the current implementation allows for a scenario where the response buffer allocation occurs before decryption, enabling a situation where a malformed request with insufficient data can trigger an out-of-bounds read. The specific condition occurs when the request size is smaller than sizeof(struct smb2_query_info_req), which is the expected minimum size for a valid query info request structure. This discrepancy creates a memory access pattern that extends beyond the allocated slab memory boundaries, potentially exposing kernel memory contents or causing system instability.
The operational impact of CVE-2024-26980 extends beyond simple memory corruption, as it represents a potential attack vector for privilege escalation and system compromise within networked environments. Systems running ksmbd servers are particularly vulnerable when exposed to untrusted network traffic, as attackers can craft malicious SMB2 requests to trigger this condition. The vulnerability affects the SMB2 protocol implementation within the Linux kernel's ksmbd module, which provides SMB/CIFS server functionality for Linux systems. Network-based attackers who can send specially crafted SMB2 transform requests to affected systems may exploit this flaw to read kernel memory, potentially extracting sensitive information or causing denial of service conditions. The out-of-bounds read could also be leveraged as a stepping stone for more sophisticated attacks, particularly in environments where SMB services are exposed to external networks. This vulnerability aligns with CWE-129, which describes improper validation of length of input buffers, and represents a classic case of insufficient input validation in kernel space operations.
The mitigation strategy for CVE-2024-26980 involves implementing a corrected processing sequence that ensures proper request validation before buffer allocation. The patch addresses this by reordering the cryptographic operations to decrypt transform requests prior to allocating response buffers, ensuring that smb3_decrypt_req() performs the necessary size validation before smb2_allocate_rsp_buf() attempts to allocate memory. This approach follows the principle of input validation and defensive programming practices recommended in the ATT&CK framework for kernel-level security. Organizations should immediately apply the vendor-provided patches to all systems running ksmbd servers, particularly those exposed to untrusted network environments. Network segmentation and access controls should be implemented to limit exposure of SMB services to only trusted networks. Additionally, monitoring for suspicious SMB2 transform protocol requests and implementing intrusion detection systems can help identify potential exploitation attempts. The fix demonstrates proper security engineering principles by ensuring that cryptographic operations are completed before memory allocation, preventing the conditions that led to the out-of-bounds read vulnerability.