CVE-2022-47939
published 2022-12-23CVE-2022-47939: An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
46.43%
98.7th percentile
An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 5.19.6-1 (bookworm) | linux 5.19.6-1 (bookworm) |
| linux | linux_kernel | >= 0 < 5.19.6-1 | 5.19.6-1 |
| linux | linux_kernel | >= 0 < 5.19.6-1 | 5.19.6-1 |
| linux | linux_kernel | >= 0 < 5.19.6-1 | 5.19.6-1 |
| linux | linux_kernel | >= 5.15 < 5.15.61 | 5.15.61 |
| linux | linux_kernel | >= 5.16 < 5.18.18 | 5.18.18 |
| linux | linux_kernel | >= 5.19 < 5.19.2 | 5.19.2 |
| msrc | cbl2_kernel_5.15.86.1-1_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable code path is in fs/ksmbd/smb2pdu.c triggered by SMB2_TREE_DISCONNECT commands; monitor or filter SMB2 TREE_DISCONNECT requests to ksmbd-enabled hosts as an exploitation indicator ↗
- →The vulnerability is exploitable only when the ksmbd in-kernel module is loaded/enabled; audit systems for ksmbd module presence as a detection/triage step ↗
- →Exploitation requires no authentication; unauthenticated SMB2 TREE_DISCONNECT traffic to ksmbd-enabled Linux hosts (kernel 5.15–5.19 before 5.19.2) should be treated as suspicious ↗
- ·Vulnerability only affects Linux kernels 5.15 through 5.19 before 5.19.2 with the ksmbd module explicitly enabled; ksmbd is NOT enabled by default in most Linux distributions ↗
- ·Systems using Samba as their SMB server are NOT affected; only the in-kernel ksmbd module is vulnerable ↗
- ·Red Hat Enterprise Linux 6–9 are not affected as ksmbd files are not built in their kernel source ↗
- ·The patch was released in Linux 5.15.61 (August 17, 2022); Ubuntu fixed versions are Jammy 5.15.0-53.59 and Kinetic 5.19.0-16.16; Debian fixed in 5.19.6-1 for bookworm/sid/trixie/forky ↗
- ·No proof-of-concept exploit code had been publicly released at time of disclosure; no reports of active exploitation in the wild ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2022-47939: An issue was discovered in ksmbd in the Linux kernel 5
osv·2022-12-23·CVSS 9.8
CVE-2022-47939 [CRITICAL] CVE-2022-47939: An issue was discovered in ksmbd in the Linux kernel 5
An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.
GHSA
GHSA-c5f7-v4rr-qv23: An issue was discovered in ksmbd in the Linux kernel before 5
ghsa_unreviewed·2022-12-23
CVE-2022-47939 [CRITICAL] CWE-416 GHSA-c5f7-v4rr-qv23: An issue was discovered in ksmbd in the Linux kernel before 5
An issue was discovered in ksmbd in the Linux kernel before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.
Red Hat
kernel: smb2_tree_disconnect() fails to validate object existance prior to performing opertions on it
vendor_redhat·2022-12-22·CVSS 9.8
CVE-2022-47939 [CRITICAL] CWE-416 kernel: smb2_tree_disconnect() fails to validate object existance prior to performing opertions on it
kernel: smb2_tree_disconnect() fails to validate object existance prior to performing opertions on it
An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.
Statement: There was no shipped kernel version that was seen affected by this problem. These files are not built in our source code. See https://access.redhat.com/solutions/6991749 for more information.
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: kernel (Red Hat Enterprise Linux 7) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 7) - Not affected
Package: kernel (Red Hat Enterprise Linux 8) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 8) - Not affected
Package: kernel (Red
Microsoft
An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.
vendor_msrc·2022-12-13·CVSS 9.8
CVE-2022-47939 [CRITICAL] CWE-416 An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.
An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Debian
CVE-2022-47939: linux - An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5....
vendor_debian·2022·CVSS 9.8
CVE-2022-47939 [CRITICAL] CVE-2022-47939: linux - An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5....
An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.
Scope: local
bookworm: resolved (fixed in 5.19.6-1)
bullseye: resolved
forky: resolved (fixed in 5.19.6-1)
sid: resolved (fixed in 5.19.6-1)
trixie: resolved (fixed in 5.19.6-1)
No detection rules found.
No public exploits indexed.
Wiz
RCE meaning: Remote code execution attacks explained | Wiz
blogs_wiz·2026-02-18
RCE meaning: Remote code execution attacks explained | Wiz
## What is a remote code execution (RCE) attack?
A remote code execution (RCE) attack is a cyberattack where an attacker runs malicious code on a target system from a remote location. This means someone who has no physical access to your servers can still execute commands as if they were sitting at the keyboard.
RCE ranks among the most severe vulnerability classes because attackers often need no authentication or user interaction to exploit it. Once they gain code execution, they can steal sensitive data, install persistent backdoors, escalate privileges, or pivot to other systems on your network.
The consequences extend beyond the initial compromise. A single RCE vulnerability in an internet-facing application can give attackers a foothold to move laterally through your environment, e
Wiz
RCE meaning: Remote code execution attacks explained | Wiz
blogs_wiz·2026-02-18
RCE meaning: Remote code execution attacks explained | Wiz
## What is a remote code execution (RCE) attack?
A remote code execution (RCE) attack is a cyberattack where an attacker runs malicious code on a target system from a remote location. This means someone who has no physical access to your servers can still execute commands as if they were sitting at the keyboard.
RCE ranks among the most severe vulnerability classes because attackers often need no authentication or user interaction to exploit it. Once they gain code execution, they can steal sensitive data, install persistent backdoors, escalate privileges, or pivot to other systems on your network.
The consequences extend beyond the initial compromise. A single RCE vulnerability in an internet-facing application can give attackers a foothold to move laterally through your environment, e
Tenable
CVE-2022-47939: Critical RCE Vulnerability in Linux Kernel
blogs_tenable·2022-12-29·CVSS 9.8
[CRITICAL] CVE-2022-47939: Critical RCE Vulnerability in Linux Kernel
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Wiz
CVE-2022-47939 critical vulnerability in Linux kernel `ksmbd` module: everything you need to know | Wiz Blog
blogs_wiz·2022-12-27·CVSS 9.8
CVE-2022-47939 [CRITICAL] CVE-2022-47939 critical vulnerability in Linux kernel `ksmbd` module: everything you need to know | Wiz Blog
A critical remote code execution vulnerability (CVE-2022-47939) has been identified in the `ksmbd` module of the Linux kernel. This means that remote attackers could potentially execute arbitrary code on affected systems running the Linux kernel without requiring authentication. However, it's important to note this vulnerability is only exploitable on systems with the `ksmbd` in-kernel module enabled. The vulnerability was first published as ZDI-22-1690 on December 22, 2022, by Zero Day Initiative and given a score of CVSS 10.0, before it was assigned a CVE.
The `ksmbd` module was only recently introduced in Linux `5.15`, so it is not yet widely used. As a result, exploitable systems are not common.
# What is CVE-2022-47939?
The vulnerability lies in the `ksmbd` module, an in-kernel SMB
Wiz
CVE-2022-47939 critical vulnerability in Linux kernel `ksmbd` module: everything you need to know | Wiz Blog
blogs_wiz·2022-12-27·CVSS 9.8
CVE-2022-47939 [CRITICAL] CVE-2022-47939 critical vulnerability in Linux kernel `ksmbd` module: everything you need to know | Wiz Blog
ksmbd
ksmbd
ksmbd
5.15
## What is CVE-2022-47939?
ksmbd
SMB2_TREE_DISCONNECT
If you are using an SMB server with Samba, you are not affected by this vulnerability.
## Wiz Research data: how many organizations are vulnerable?
ksmbd
## Which products are affected?
5.15
ksmbd
Ubuntu
linux
Impacted, fixed:
Jammy 5.15.0-53.59
Kinetic 5.19.0-16.16
Medium
Ubuntu
Other**
Not impacted / In triage
-
Debian
linux (pst)
Impacted, fixed:
Buster 4.19.249-2
Buster (security) 4.19.269-1
Bullseye 5.10.158-2
Bullseye (security) 5.10.149-2
Bookworm, sid 6.0.12-1
None assigned
Red Hat
All
Not impacted
-
** Additional Ubuntu releases are vulnerable, please refer to the vendors advisory for the latest updates.
## Which actions should security teams take?
5.15.61
Wiz customers can
http://www.openwall.com/lists/oss-security/2022/12/23/10https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.19.2https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cf6531d98190fa2cf92a6d8bbc8af0a4740a223chttps://github.com/torvalds/linux/commit/cf6531d98190fa2cf92a6d8bbc8af0a4740a223chttps://www.secpod.com/blog/zero-day-server-message-block-smb-server-in-linux-kernel-5-15-has-a-critical-vulnerability-patch-ksmbd-immediately/https://www.zerodayinitiative.com/advisories/ZDI-22-1690/http://www.openwall.com/lists/oss-security/2022/12/23/10https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.19.2https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cf6531d98190fa2cf92a6d8bbc8af0a4740a223chttps://github.com/torvalds/linux/commit/cf6531d98190fa2cf92a6d8bbc8af0a4740a223chttps://www.secpod.com/blog/zero-day-server-message-block-smb-server-in-linux-kernel-5-15-has-a-critical-vulnerability-patch-ksmbd-immediately/https://www.zerodayinitiative.com/advisories/ZDI-22-1690/
2022-12-23
Published