CVE-2024-46795: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset the binding mark of a reused connection Steve French reported null pointer dereference error from sha256 lib. cifs.ko can send session setup requests on reused connection. If reused connection is used for binding session, conn->binding can still remain true and generate_preauth_hash() will not set sess->Preauth_HashValue and it will be NULL. It is used as a material to create an encryption key in ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer dereference error from crypto_shash_update(). BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 8 PID: 429254 Comm: kworker/8:39 Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 ) Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] <TASK> ? show_regs+0x6d/0x80 ? __die+0x24/0x80 ? page_fault_oops+0x99/0x1b0 ? do_user_addr_fault+0x2ee/0x6b0 ? exc_page_fault+0x83/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] _sha256_update+0x77/0xa0 [sha256_ssse3] sha256_avx2_update+0x15/0x30 [sha256_ssse3] crypto_shash_update+0x1e/0x40 hmac_update+0x12/0x20 crypto_shash_update+0x1e/0x40 generate_key+0x234/0x380 [ksmbd] generate_smb3encryptionkey+0x40/0x1c0 [ksmbd] ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd] ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd] smb2_sess_setup+0x952/0xaa0 [ksmbd] __process_request+0xa3/0x1d0 [ksmbd] __handle_ksmbd_work+0x1c4/0x2f0 [ksmbd] handle_ksmbd_work+0x2d/0xa0 [ksmbd] process_one_work+0x16c/0x350 worker_thread+0x306/0x440 ? __pfx_worker_thread+0x10/0x10 kthread+0xef/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x44/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK>
AI Analysis
Technical Summary
CVE-2024-46795 is a vulnerability identified in the Linux kernel's ksmbd (Kernel SMB Daemon) component, which handles SMB (Server Message Block) protocol operations. The issue arises from improper handling of reused SMB connections during session binding. Specifically, when a connection is reused, the binding mark (conn->binding) may remain set to true, causing the function generate_preauth_hash() to skip setting the session's Preauth_HashValue. This Preauth_HashValue is critical as it is used to derive encryption keys in the SMB 3.1.1 encryption key generation process (ksmbd_gen_smb311_encryptionkey). If Preauth_HashValue is NULL, a null pointer dereference occurs when crypto_shash_update() is called, leading to a kernel crash (NULL pointer dereference). The vulnerability manifests as a kernel oops and page fault, resulting in denial of service due to kernel panic or crash. The detailed kernel stack trace indicates the fault occurs within the sha256 hashing routines used for cryptographic operations in ksmbd. The flaw was reported by Steve French and affects Linux kernel versions containing the specified commit hashes. There is no indication of known exploits in the wild yet, and no CVSS score has been assigned. The vulnerability impacts the confidentiality and availability of SMB sessions handled by the kernel, potentially disrupting SMB file sharing services on affected Linux systems.
Potential Impact
For European organizations, this vulnerability poses a significant risk to systems running Linux kernels with the vulnerable ksmbd implementation, particularly those using SMB for file sharing and network resource access. Exploitation can cause kernel crashes leading to denial of service, disrupting critical business operations reliant on SMB shares, such as file servers, collaboration platforms, and backup systems. Confidentiality could also be impacted if encryption keys are improperly handled, although the primary issue is a denial of service via kernel panic. Organizations with Linux-based SMB servers or network appliances are at risk of service outages, which could affect productivity and availability of shared resources. Given the widespread use of Linux in enterprise environments across Europe, especially in data centers and cloud infrastructure, the impact could be broad. Additionally, the kernel crash could be leveraged as a vector for further attacks if combined with other vulnerabilities, although no such exploits are currently known.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates that address CVE-2024-46795 as soon as they become available from trusted Linux distribution vendors. 2. Kernel version management: Maintain an inventory of Linux kernel versions in use and prioritize upgrading vulnerable kernels. 3. SMB service hardening: Where possible, disable or restrict SMB services on Linux systems that do not require them, reducing the attack surface. 4. Connection reuse controls: Implement network-level controls to limit or monitor SMB session reuse behaviors until patches are applied. 5. Monitoring and alerting: Deploy kernel crash monitoring tools and log analysis to detect signs of exploitation attempts or kernel oops events related to ksmbd. 6. Segmentation: Isolate SMB servers in dedicated network segments with strict access controls to limit exposure. 7. Backup and recovery: Ensure robust backup procedures are in place to recover quickly from potential service disruptions caused by kernel crashes. These steps go beyond generic advice by emphasizing kernel version tracking, network-level controls on SMB session reuse, and proactive monitoring for kernel faults specific to ksmbd.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-46795: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset the binding mark of a reused connection Steve French reported null pointer dereference error from sha256 lib. cifs.ko can send session setup requests on reused connection. If reused connection is used for binding session, conn->binding can still remain true and generate_preauth_hash() will not set sess->Preauth_HashValue and it will be NULL. It is used as a material to create an encryption key in ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer dereference error from crypto_shash_update(). BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 8 PID: 429254 Comm: kworker/8:39 Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 ) Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] <TASK> ? show_regs+0x6d/0x80 ? __die+0x24/0x80 ? page_fault_oops+0x99/0x1b0 ? do_user_addr_fault+0x2ee/0x6b0 ? exc_page_fault+0x83/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] _sha256_update+0x77/0xa0 [sha256_ssse3] sha256_avx2_update+0x15/0x30 [sha256_ssse3] crypto_shash_update+0x1e/0x40 hmac_update+0x12/0x20 crypto_shash_update+0x1e/0x40 generate_key+0x234/0x380 [ksmbd] generate_smb3encryptionkey+0x40/0x1c0 [ksmbd] ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd] ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd] smb2_sess_setup+0x952/0xaa0 [ksmbd] __process_request+0xa3/0x1d0 [ksmbd] __handle_ksmbd_work+0x1c4/0x2f0 [ksmbd] handle_ksmbd_work+0x2d/0xa0 [ksmbd] process_one_work+0x16c/0x350 worker_thread+0x306/0x440 ? __pfx_worker_thread+0x10/0x10 kthread+0xef/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x44/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2024-46795 is a vulnerability identified in the Linux kernel's ksmbd (Kernel SMB Daemon) component, which handles SMB (Server Message Block) protocol operations. The issue arises from improper handling of reused SMB connections during session binding. Specifically, when a connection is reused, the binding mark (conn->binding) may remain set to true, causing the function generate_preauth_hash() to skip setting the session's Preauth_HashValue. This Preauth_HashValue is critical as it is used to derive encryption keys in the SMB 3.1.1 encryption key generation process (ksmbd_gen_smb311_encryptionkey). If Preauth_HashValue is NULL, a null pointer dereference occurs when crypto_shash_update() is called, leading to a kernel crash (NULL pointer dereference). The vulnerability manifests as a kernel oops and page fault, resulting in denial of service due to kernel panic or crash. The detailed kernel stack trace indicates the fault occurs within the sha256 hashing routines used for cryptographic operations in ksmbd. The flaw was reported by Steve French and affects Linux kernel versions containing the specified commit hashes. There is no indication of known exploits in the wild yet, and no CVSS score has been assigned. The vulnerability impacts the confidentiality and availability of SMB sessions handled by the kernel, potentially disrupting SMB file sharing services on affected Linux systems.
Potential Impact
For European organizations, this vulnerability poses a significant risk to systems running Linux kernels with the vulnerable ksmbd implementation, particularly those using SMB for file sharing and network resource access. Exploitation can cause kernel crashes leading to denial of service, disrupting critical business operations reliant on SMB shares, such as file servers, collaboration platforms, and backup systems. Confidentiality could also be impacted if encryption keys are improperly handled, although the primary issue is a denial of service via kernel panic. Organizations with Linux-based SMB servers or network appliances are at risk of service outages, which could affect productivity and availability of shared resources. Given the widespread use of Linux in enterprise environments across Europe, especially in data centers and cloud infrastructure, the impact could be broad. Additionally, the kernel crash could be leveraged as a vector for further attacks if combined with other vulnerabilities, although no such exploits are currently known.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates that address CVE-2024-46795 as soon as they become available from trusted Linux distribution vendors. 2. Kernel version management: Maintain an inventory of Linux kernel versions in use and prioritize upgrading vulnerable kernels. 3. SMB service hardening: Where possible, disable or restrict SMB services on Linux systems that do not require them, reducing the attack surface. 4. Connection reuse controls: Implement network-level controls to limit or monitor SMB session reuse behaviors until patches are applied. 5. Monitoring and alerting: Deploy kernel crash monitoring tools and log analysis to detect signs of exploitation attempts or kernel oops events related to ksmbd. 6. Segmentation: Isolate SMB servers in dedicated network segments with strict access controls to limit exposure. 7. Backup and recovery: Ensure robust backup procedures are in place to recover quickly from potential service disruptions caused by kernel crashes. These steps go beyond generic advice by emphasizing kernel version tracking, network-level controls on SMB session reuse, and proactive monitoring for kernel faults specific to ksmbd.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-11T15:12:18.279Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe1328
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 1:55:50 AM
Last updated: 8/9/2025, 3:47:43 PM
Views: 14
Related Threats
CVE-2025-9060: CWE-20 Improper Input Validation in MSoft MFlash
CriticalCVE-2025-8675: CWE-918 Server-Side Request Forgery (SSRF) in Drupal AI SEO Link Advisor
MediumCVE-2025-8362: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Drupal GoogleTag Manager
MediumCVE-2025-8361: CWE-962 Missing Authorization in Drupal Config Pages
HighCVE-2025-8092: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Drupal COOKiES Consent Management
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.