CVE-2023-52442

ksmbd: validate session id and tree id in compound request

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate session id and tree id in compound request `smb2_get_msg()` in smb2_get_ksmbd_tcon() and smb2_check_user_session() will always return the first request smb2 header in a compound request. if `SMB2_TREE_CONNECT_HE` is the first command in compound request, will return 0, i.e. The tree id check is skipped. This patch use ksmbd_req_buf_next() to get current command in compound.

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.14%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/017d85c94f02090a87f4a473dbe0d6ee0da72693 patch
https://git.kernel.org/stable/c/becb5191d1d5fdfca0198a2e37457bbbf4fe266f patch
https://git.kernel.org/stable/c/4c2b350b2e269e3fd17bbfa42de1b42775b777ac patch
https://git.kernel.org/stable/c/3df0411e132ee74a87aa13142dfd2b190275332e patch

Frequently Asked Questions

What is the severity of CVE-2023-52442?
CVE-2023-52442 has been scored as a medium severity vulnerability.
How to fix CVE-2023-52442?
To fix CVE-2023-52442, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-52442 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-52442 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-52442?
CVE-2023-52442 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.