CVE-2026-23220

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths<br /> <br /> The problem occurs when a signed request fails smb2 signature verification<br /> check. In __process_request(), if check_sign_req() returns an error,<br /> set_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called.<br /> set_smb2_rsp_status() set work-&gt;next_smb2_rcv_hdr_off as zero. By resetting<br /> next_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain<br /> is lost. Consequently, is_chained_smb2_message() continues to point to<br /> the same request header instead of advancing. If the header&amp;#39;s NextCommand<br /> field is non-zero, the function returns true, causing __handle_ksmbd_work()<br /> to repeatedly process the same failed request in an infinite loop.<br /> This results in the kernel log being flooded with "bad smb2 signature"<br /> messages and high CPU usage.<br /> <br /> This patch fixes the issue by changing the return value from<br /> SERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that<br /> the processing loop terminates immediately rather than attempting to<br /> continue from an invalidated offset.