CVE-2026-52996

NONECVSS 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: 0%CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open

ksmbd_lookup_fd_cguid() returns a ksmbd_file with its refcount incremented via ksmbd_fp_get(). parse_durable_handle_context() in the DURABLE_REQ_V2 case properly releases this reference on every path inside the ClientGUID-match branch, either by calling ksmbd_put_durable_fd() or by transferring ownership to dh_info->fp for a successful reconnect. However, when an entry exists in the global file table with the same CreateGuid but a different ClientGUID, the code simply falls through to the new-open path without dropping the reference obtained from ksmbd_lookup_fd_cguid().

Per MS-SMB2 section 3.3.5.9.10 ("Handling the SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 Create Context"), the server MUST locate an Open whose Open.CreateGuid matches the request's CreateGuid AND whose Open.ClientGuid matches the ClientGuid of the connection that received the request. If no such Open is found, the server MUST continue with the normal open execution phase. A CreateGuid hit with a ClientGUID mismatch is therefore the "Open not found" case: proceeding with a new open is correct, but the reference obtained purely as a side effect of the lookup must not be leaked.

Repeated requests that hit this mismatch pin global_ft entries, prevent __ksmbd_close_fd() from ever running for the corresponding files, and defeat the durable scavenger, leading to long-lived resource leaks.

Release the reference in the mismatch path and clear dh_info->fp so subsequent logic does not mistake a non-matching lookup result for a reconnect target.

CVSS v3
EG Score
0.0(none)
EPSS
8.6%
KEV
Not listed

Published

June 24, 2026

Last Modified

June 24, 2026

Vendor Advisories for CVE-2026-52996(2)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 11× in last 7d / 22× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-06 16:27 UTCEPSS rescore
  2. 2026-07-06 16:27 UTCEPSS rescore
  3. 2026-07-06 02:23 UTCEPSS rescore
  4. 2026-07-06 02:23 UTCEPSS rescore
  5. 2026-07-05 02:31 UTCEPSS rescore
  6. 2026-07-05 02:30 UTCEPSS rescore
  7. 2026-07-04 06:31 UTCEPSS rescore
  8. 2026-07-04 05:20 UTCGHSA enrichment
  9. 2026-07-01 15:07 UTCEPSS rescore
  10. 2026-07-01 01:40 UTCGHSA enrichment
  11. 2026-06-30 23:22 UTCEPSS rescore
  12. 2026-06-29 14:06 UTCEPSS rescore
  13. 2026-06-29 14:06 UTCEPSS rescore
  14. 2026-06-28 14:07 UTCEPSS rescore
  15. 2026-06-28 04:56 UTCEPSS rescore
  16. 2026-06-28 04:56 UTCEPSS rescore
  17. 2026-06-27 22:02 UTCEG score recompute
  18. 2026-06-27 22:02 UTCGHSA enrichment
  19. 2026-06-27 03:08 UTCEPSS rescore
  20. 2026-06-25 13:49 UTCEPSS rescore
  21. 2026-06-24 18:24 UTCEG score recompute
  22. 2026-06-24 18:02 UTCNVD updatefirst tracked

Frequently asked(4)

What is CVE-2026-52996?
CVE-2026-52996 is a none vulnerability published on June 24, 2026. In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open ksmbdlookupfdcguid() returns a ksmbdfile with its refcount incremented via ksmbdfpget(). parsedurablehandle_context() in the DURABLEREQV2 case properly releases…
When was CVE-2026-52996 disclosed?
CVE-2026-52996 was first published in the National Vulnerability Database on June 24, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-52996 actively exploited?
CVE-2026-52996 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 8.6% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
How do I remediate CVE-2026-52996?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-52996, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-52996

Explore →

Is Your Infrastructure Affected by CVE-2026-52996?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.