CVE-2026-23093 in Linux
Summary
by MITRE • 02/04/2026
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: smbd: fix dma_unmap_sg() nents
The dma_unmap_sg() functions should be called with the same nents as the dma_map_sg(), not the value the map function returned.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/03/2026
The vulnerability identified as CVE-2026-23093 represents a critical memory management issue within the Linux kernel's ksmbd implementation, specifically affecting the SMBD (Server Message Block Daemon) subsystem. This flaw manifests in the improper handling of scatter-gather DMA operations, which are fundamental components in high-performance network I/O operations for file sharing protocols. The ksmbd module serves as the kernel-space implementation of SMB/CIFS file sharing services, making this vulnerability particularly concerning for networked file server environments.
The technical root cause of this vulnerability lies in the inconsistent parameter handling between DMA mapping and unmapping operations within the ksmbd subsystem. When the dma_map_sg() function is invoked, it returns the actual number of scatter-gather entries that were successfully mapped, but the subsequent dma_unmap_sg() call incorrectly utilizes this returned value instead of the original nents parameter that was passed to the mapping function. This discrepancy creates a mismatch between the expected and actual number of DMA segments to be unmapped, potentially leading to memory corruption, buffer overruns, or unauthorized memory access patterns.
From an operational perspective, this vulnerability presents a significant risk to systems running ksmbd as their primary SMB file sharing service, particularly in enterprise environments where file servers are extensively used. The flaw could enable malicious actors to exploit the memory management inconsistency to perform arbitrary code execution, escalate privileges, or cause system crashes through carefully crafted SMB requests. The vulnerability's impact is amplified by the fact that DMA operations are commonly used in high-throughput network scenarios, making the attack surface more expansive in performance-critical environments.
The vulnerability aligns with CWE-128, which addresses "Wrap or Overflow" conditions in memory management operations, and represents a classic example of improper resource handling in kernel-space code. From an attack framework perspective, this issue could be leveraged through the ATT&CK technique T1059.007 for command and control operations, or through T1068 for privilege escalation, depending on the specific exploitation vector. The fix implemented addresses the core issue by ensuring that the dma_unmap_sg() function receives the original nents parameter that was used during the mapping operation, rather than the potentially modified value returned by the mapping function.
Security professionals should prioritize patching systems running ksmbd implementations, particularly those serving as file servers in enterprise environments. The mitigation strategy involves updating to the patched kernel version that correctly handles the DMA scatter-gather parameters, ensuring that the mapping and unmapping operations maintain consistent parameter values throughout the DMA lifecycle. Organizations should also implement network monitoring to detect suspicious SMB traffic patterns that might indicate exploitation attempts, while maintaining comprehensive logging of file access operations to aid in forensic analysis should compromise occur.