cbcvebase.
CVE-2022-47939
published 2022-12-23

CVE-2022-47939: An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
46.43%
98.7th percentile
An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 5.19.6-1 (bookworm)linux 5.19.6-1 (bookworm)
linuxlinux_kernel>= 0 < 5.19.6-15.19.6-1
linuxlinux_kernel>= 0 < 5.19.6-15.19.6-1
linuxlinux_kernel>= 0 < 5.19.6-15.19.6-1
linuxlinux_kernel>= 5.15 < 5.15.615.15.61
linuxlinux_kernel>= 5.16 < 5.18.185.18.18
linuxlinux_kernel>= 5.19 < 5.19.25.19.2
msrccbl2_kernel_5.15.86.1-1_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerable code path is in fs/ksmbd/smb2pdu.c triggered by SMB2_TREE_DISCONNECT commands; monitor or filter SMB2 TREE_DISCONNECT requests to ksmbd-enabled hosts as an exploitation indicator
  • The vulnerability is exploitable only when the ksmbd in-kernel module is loaded/enabled; audit systems for ksmbd module presence as a detection/triage step
  • Exploitation requires no authentication; unauthenticated SMB2 TREE_DISCONNECT traffic to ksmbd-enabled Linux hosts (kernel 5.15–5.19 before 5.19.2) should be treated as suspicious
  • ·Vulnerability only affects Linux kernels 5.15 through 5.19 before 5.19.2 with the ksmbd module explicitly enabled; ksmbd is NOT enabled by default in most Linux distributions
  • ·Systems using Samba as their SMB server are NOT affected; only the in-kernel ksmbd module is vulnerable
  • ·Red Hat Enterprise Linux 6–9 are not affected as ksmbd files are not built in their kernel source
  • ·The patch was released in Linux 5.15.61 (August 17, 2022); Ubuntu fixed versions are Jammy 5.15.0-53.59 and Kinetic 5.19.0-16.16; Debian fixed in 5.19.6-1 for bookworm/sid/trixie/forky
  • ·No proof-of-concept exploit code had been publicly released at time of disclosure; no reports of active exploitation in the wild

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.