ksmbd SMB3 multichannel race exposes kernel signing keys

At a glance

What this is: A race condition in Linux ksmbd SMB3 multichannel can expose a freed channel’s signing key and trigger kernel panic.

Why it matters: It matters because Linux file-sharing services can turn authenticated SMB access into kernel-level impact, forcing IAM and platform teams to treat service access, signing keys, and network exposure as one control plane.

By the numbers:

• The vulnerability needs valid SMB credentials and network access to port 445.
• The exploit window hits about 8 to 11 times per 500-iteration run on a 4-core machine.
• The first hit typically appears within 60 to 120 seconds.

👉 Read Orca Security's analysis of the ksmbd SMB3 multichannel race

Context

ksmbd is the Linux kernel-native SMB server, so a flaw in its multichannel handling is not a userspace bug but a kernel trust problem. The primary keyword here is ksmbd SMB3 multichannel race, and the key issue is that authenticated file-sharing traffic can collide with shared session state that is not safely synchronized.

This matters for NHI governance because SMB signing keys, service credentials, and network exposure sit in the same operational path. When a server-side identity structure is freed while still being read, the result is not just a crash risk but a direct break in how machine access is supposed to be controlled and verified.

The article’s starting position is typical for kernel concurrency bugs but atypical in one respect: the vulnerable path is gated by valid authentication and a specific SMB3 binding flow, which makes it harder to spot with perimeter-only controls. That combination is exactly why identity-aware asset discovery and workload exposure mapping matter here.

Key questions

Q: What breaks when ksmbd multichannel is not properly synchronised?

A: The channel list can be read after it has been freed, which means ksmbd may expose the SMB3 signing key or crash the kernel. The failure is not just a memory-safety bug. It is a shared-session state problem where one connection tears down objects that another connection still assumes are valid.

Q: Why do valid SMB credentials still matter in this vulnerability?

A: Because the attack requires an authenticated session before the binding path is accepted. That means the risk sits inside legitimate machine access, not anonymous probing. IAM teams should read this as a reminder that authenticated service traffic can still produce severe impact when the server-side identity state is weakly governed.

Q: How can security teams know whether ksmbd multichannel creates real exposure?

A: Check three signals together: ksmbd is installed, SMB3 multichannel is enabled, and port 445 is reachable from networks an attacker could use. Any one control alone is insufficient. Real risk appears when the service, the protocol feature, and the exposure path line up on the same asset.

Q: What should teams do first after learning that a kernel SMB service is exposed?

A: Patch to the fixed kernel immediately, then disable multichannel until you can verify the change everywhere. After that, confirm which systems still expose port 445 and whether the service is actually needed. Containment should focus on removing the binding path and shrinking the reachable machine identity surface.

Technical breakdown

SMB3 multichannel and the binding path

SMB3 multichannel lets one authenticated session use multiple TCP connections at the same time. In ksmbd, those connections are tracked as channels inside a session object, and new channels are added through a binding request that must match the original dialect, be signed, and reference the existing session ID. The bug lives in that binding path, not in authentication itself. Once the second connection is accepted, ksmbd reads shared channel state without a protective lock while another path may be deleting it. Practical implication: treat multichannel as a concurrency feature that expands the attack surface of the server-side identity state.

Practical implication: Disable multichannel where it is not required, and review the binding code path as a shared-state risk rather than a protocol feature.

Use-after-free in the channel list

ksmbd stores active channels in an XArray, a kernel sparse array used to map keys to pointers. The issue is that the read side uses xa_load() with no lock, while the delete side uses xa_erase() followed by kfree(), which frees the memory immediately. Without a read-side lock or RCU-style deferred free, one thread can read a pointer after another thread has released it. That is the classic use-after-free pattern, but here it affects a structure that also carries the SMB3 signing key. Practical implication: synchronize every access to shared session state, not just the mutation path.

Practical implication: Audit every channel-list access for lock coverage and require deferred free semantics where concurrent readers exist.

Why the race can expose the signing key

The freed object is a small channel structure that includes the per-channel AES-128-CMAC signing key and a connection pointer. If the memory slot has not been overwritten, the lookup can return the original key, allowing forged or replayed signed traffic for that channel. If the slot has been reused, the server may read garbage and crash when dereferencing stale pointers. The race is wider because teardown only drains work on the connection being closed, not every connection sharing the session, so another worker can still read the freed structure. Practical implication: session-level teardown must match session-level concurrency, or the cleanup path becomes a live exploit window.

Practical implication: Model teardown at the session level, because per-connection draining does not protect shared multichannel state.

Threat narrative

Attacker objective: The attacker aims to recover or abuse the per-channel SMB3 signing key and destabilise the kernel.

1. Entry occurs when an attacker with valid SMB credentials reaches ksmbd over port 445 and establishes a primary session followed by a bound multichannel connection.
2. Credential access occurs when the attacker races the teardown path and reads a freed channel struct that still contains the SMB3 signing key.
3. Escalation and impact follow when the attacker forges signed traffic or forces stale-pointer dereference, leading to signature bypass or kernel panic.

Breaches seen in the wild

• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
• JetBrains GitHub plugin token exposure — CVE-2024-37051 in JetBrains IntelliJ GitHub plugin exposed GitHub access tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

ksmbd multichannel turns a session object into privileged identity state, not just a transport optimisation. The article shows that one authenticated SMB session can fan out across multiple connections while sharing the same server-side objects and signing material. That means a file-sharing feature becomes a governed identity surface, where concurrency bugs affect confidentiality, integrity, and availability at once. Practitioners should classify ksmbd multichannel as a high-risk machine identity path, not ordinary LAN file access.

The specific failure mode here is shared-state lifetime drift. The channel struct was designed for a world where read and delete operations would not overlap without protection, but multichannel makes overlap normal. This breach class is not about weak authentication. It is about a kernel object being freed while another execution path still assumes it is live. The implication is that any NHI control built on stable object lifetime must be revalidated against concurrent teardown.

Session-bound signing keys are a fragile trust boundary when the server can self-delete the object that holds them. The key is not merely stored in memory, it is embedded in an access path that determines whether SMB3 traffic is trusted. Once that object can be read after free, the identity boundary itself becomes transient and attacker-timed. Practitioners should treat server-side signing material as part of the identity lifecycle, not just cryptographic state.

Kernel-native file services collapse the distance between identity governance and platform reliability. A flaw in ksmbd does not stay inside the SMB stack. It reaches kernel memory management, session teardown, and network exposure in one chain, which is why the control problem crosses IAM, PAM, and infrastructure teams. The practical conclusion is that NHI governance must extend to service daemons that are effectively privileged runtime identities.

52 NHI Breaches Analysis remains the right reference frame for this class of issue because the same pattern keeps recurring: access outlives safe control. In this case, a channel object remained reachable long enough for another thread to consume freed state. That is a governance failure before it is a bug class. Security teams should read it as a lifecycle mismatch between access, teardown, and verification.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, which helps explain why exposed credentials and related control gaps persist in production systems.
• That operational gap is why practitioners should pair exposure discovery with lifecycle governance, as discussed in 52 NHI Breaches Analysis.

What this signals

Shared-state identity objects are the pressure point. This vulnerability shows that machine identity controls fail when the object holding trust material can be destroyed while other workers still depend on it. The same pattern appears in service account sprawl, token reuse, and workload teardown problems, so teams need to think in terms of lifecycle boundaries rather than static permissions.

ksmbd multichannel also reinforces a broader programme signal: network reachability plus valid credentials is enough to create a high-impact kernel exposure when the server side does not enforce session-level coordination. That is why asset inventory, identity inventory, and protocol feature inventory have to be correlated, not managed as separate lists.

The next phase of this problem space is better recognition of identity blast radius, especially for privileged services that combine transport, signing, and teardown in one runtime. Teams that can already map machine identities to exposed services will have a much easier time containing concurrency bugs like this one when they appear again.

For practitioners

• Disable SMB3 multichannel where it is not required Remove the binding code path entirely on ksmbd systems that do not need concurrent channels. That eliminates the race condition rather than trying to time-box it, and it is the cleanest interim control when kernel patching is delayed.
• Inventory ksmbd exposure on port 445 Find every Linux asset running ksmbd and confirm whether port 445 is reachable from untrusted networks. Combine exposure data with kernel version filtering so you can isolate systems that both run the service and carry the vulnerable build.
• Treat SMB signing keys as short-lived session assets Review whether server-side signing material is stored or reused in ways that assume session state remains stable. A signing key that survives unsafe teardown becomes an identity control failure, not only a cryptographic concern.

Key takeaways

• This ksmbd flaw is a use-after-free in shared SMB3 channel state, which turns a protocol feature into a kernel-level identity failure.
• The impact is measurable and severe: attackers need valid credentials, but the race can expose signing keys or crash the kernel once the session binding path is reached.
• The most direct limitation is to remove multichannel exposure and patch the kernel, because the bug is rooted in unsynchronised object lifetime rather than authentication alone.

Key terms

• ksmbd: ksmbd is the Linux kernel-native SMB server that handles file sharing inside the kernel instead of a userspace daemon. That architecture reduces overhead but also raises the blast radius of any defect because bugs can reach kernel memory, session state, and network-facing identity handling at once.
• SMB3 multichannel: SMB3 multichannel allows one authenticated SMB session to use multiple TCP connections at the same time. In practice, it increases throughput, but it also creates shared server-side state that must be synchronised carefully because several worker paths may read and delete the same channel data concurrently.
• Use-after-free: A use-after-free occurs when code continues to read or write memory after it has already been released. In kernel networking paths, this often becomes a security issue because stale pointers can expose secrets, corrupt control flow, or crash the system under the right timing conditions.
• XArray: XArray is a Linux kernel sparse array used to store pointers by integer key. It is efficient for shared kernel data structures, but it does not replace external locking. When readers and deleters operate concurrently without coordination, XArray-based state can still become unsafe.

Deepen your knowledge

ksmbd SMB3 multichannel race analysis is covered in the NHI Foundation Level course, the industry's only accredited NHI security programme. If you are mapping privileged service paths and shared session state, it is worth exploring for your programme.

This post draws on content published by Orca Security: ksmbd SMB3 multichannel race exposes kernel signing keys. Read the original.