ksmbd multichannel race: what kernel teams need to fix

TL;DR: A missing lock in Linux ksmbd’s SMB3 multichannel can free a channel struct while another thread still reads it, exposing the per-channel AES-128-CMAC signing key and sometimes crashing the kernel, according to Orca Security. Kernel-native file sharing now carries a race-condition risk that identity teams must treat as privileged network access, not routine SMB traffic.

NHIMG editorial — based on content published by Orca Security: ksmbd SMB3 multichannel race exposes kernel signing keys

By the numbers:

• The vulnerability needs valid SMB credentials and network access to port 445.
• The exploit window hits about 8 to 11 times per 500-iteration run on a 4-core machine.
• The first hit typically appears within 60 to 120 seconds.

Questions worth separating out

Q: What breaks when ksmbd multichannel is not properly synchronised?

A: The channel list can be read after it has been freed, which means ksmbd may expose the SMB3 signing key or crash the kernel.

Q: Why do valid SMB credentials still matter in this vulnerability?

A: Because the attack requires an authenticated session before the binding path is accepted.

Q: How can security teams know whether ksmbd multichannel creates real exposure?

A: Check three signals together: ksmbd is installed, SMB3 multichannel is enabled, and port 445 is reachable from networks an attacker could use.

Practitioner guidance

• Disable SMB3 multichannel where it is not required Remove the binding code path entirely on ksmbd systems that do not need concurrent channels.
• Inventory ksmbd exposure on port 445 Find every Linux asset running ksmbd and confirm whether port 445 is reachable from untrusted networks.
• Treat SMB signing keys as short-lived session assets Review whether server-side signing material is stored or reused in ways that assume session state remains stable.

What's in the full article

Orca Security's full analysis covers the operational detail this post intentionally leaves for the source:

• The exact PoC evolution, including the Impacket patch used to reach the binding path without reimplementing SMB3 signing.
• KASAN output and lab conditions that confirmed the race on a 4-core test system.
• The full patch detail, including how the fix wraps all five access points around the channel list.
• Detection and interim mitigation guidance for environments that cannot patch immediately.

👉 Read Orca Security's analysis of the ksmbd SMB3 multichannel race →

ksmbd multichannel race: what kernel teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →