VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2023-54203

CVE-2023-54203

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix slab-out-of-bounds in init_smb2_rsp_hdr

When smb1 mount fails, KASAN detect slab-out-of-bounds in init_smb2_rsp_hdr like the following one. For smb1 negotiate(56bytes) , init_smb2_rsp_hdr() for smb2 is called. The issue occurs while handling smb1 negotiate as smb2 server operations. Add smb server operations for smb1 (get_cmd_val, init_rsp_hdr, allocate_rsp_buf, check_user_session) to handle smb1 negotiate so that smb2 server operation does not handle it.

[ 411.400423] CIFS: VFS: Use of the less secure dialect vers=1.0 is not recommended unless required for access to very old servers [ 411.400452] CIFS: Attempting to mount \\192.168.45.139\homes [ 411.479312] ksmbd: init_smb2_rsp_hdr : 492 [ 411.479323] ================================================================== [ 411.479327] BUG: KASAN: slab-out-of-bounds in init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479369] Read of size 16 at addr ffff888488ed0734 by task kworker/14:1/199

[ 411.479379] CPU: 14 PID: 199 Comm: kworker/14:1 Tainted: G OE 6.1.21 #3 [ 411.479386] Hardware name: ASUSTeK COMPUTER INC. Z10PA-D8 Series/Z10PA-D8 Series, BIOS 3801 08/23/2019 [ 411.479390] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 411.479425] Call Trace: [ 411.479428] [ 411.479432] dump_stack_lvl+0x49/0x63 [ 411.479444] print_report+0x171/0x4a8 [ 411.479452] ? kasan_complete_mode_report_info+0x3c/0x200 [ 411.479463] ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479497] kasan_report+0xb4/0x130 [ 411.479503] ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479537] kasan_check_range+0x149/0x1e0 [ 411.479543] memcpy+0x24/0x70 [ 411.479550] init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479585] handle_ksmbd_work+0x109/0x760 [ksmbd] [ 411.479616] ? _raw_spin_unlock_irqrestore+0x50/0x50 [ 411.479624] ? smb3_encrypt_resp+0x340/0x340 [ksmbd] [ 411.479656] process_one_work+0x49c/0x790 [ 411.479667] worker_thread+0x2b1/0x6e0 [ 411.479674] ? process_one_work+0x790/0x790 [ 411.479680] kthread+0x177/0x1b0 [ 411.479686] ? kthread_complete_and_exit+0x30/0x30 [ 411.479692] ret_from_fork+0x22/0x30 [ 411.479702]

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

KSMBD (SMB kernel server) mishandles SMB1 negotiate requests by incorrectly routing them to SMB2 response handlers, causing a slab-out-of-bounds read.

Vulnerability

CVE-2023-54203 is a slab-out-of-bounds read bug in the Linux kernel's KSMBD (ksmbd) SMB server. The root cause is that when an SMB1 dialect mount attempt fails, the init_smb2_rsp_hdr function is called to build a response for what is actually an SMB1 negotiate packet. Because SMB1 negotiate packets are only 56 bytes, the code reads beyond the allocated buffer when trying to copy fields expected for an SMB2 header, leading to a KASAN-detected out-of-bounds access.[1]

Exploitation

The vulnerability is triggered by an unauthenticated remote attacker sending a crafted SMB1 negotiate request to a KSMBD server. The server incorrectly handles this SMB1 request using its SMB2 code paths, specifically calling init_smb2_rsp_hdr, which blindly copies 16 bytes from the incoming packet without verifying that the packet is actually an SMB2 payload. No authentication is required; the attack surface is the network-facing SMB endpoint.[1]

Impact

A successful exploit results in a kernel slab-out-of-bounds read, which can potentially leak sensitive kernel memory or cause a denial of service (system crash or hang). The oops shown in the advisory indicates a KASAN report with a read of size 16 at an invalid address. While the primary impact is information disclosure and system instability, such memory corruption bugs may also be leveraged for privilege escalation in conjunction with other vulnerabilities.[1]

Mitigation

The fix, committed to the Linux kernel stable branch, introduces dedicated SMB1 server operations (get_cmd_val, init_rsp_hdr, allocate_rsp_buf, check_user_session) so that SMB1 negotiate requests are handled by SMB1-specific code, preventing the SMB2 response handler from being invoked on undersized SMB1 packets.[1] Users should update their kernel to include the patch from commit a8334a0c535d (or subsequent backports).

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

4
921536046bd1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
a8334a0c535d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
99a51c673b1d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
dc8289f91238
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.