CVE-2026-8449: Linux ksmbd Heap Corruption Allows Remote Kernel RCE

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycode-executioncwe-125
CVE-2026-8449: Linux ksmbd Heap Corruption Allows Remote Kernel RCE

The National Vulnerability Database has reported CVE-2026-8449, a critical remote memory corruption vulnerability within Linux ksmbd’s ACL inheritance path. This flaw allows remote clients with directory creation permissions to trigger a heap out-of-bounds read, leading to subsequent heap corruption. Attackers can exploit this by crafting a DACL with a malformed SID, setting it via SMB2_SET_INFO, and then creating child entries.

This vulnerability, rated with a CVSS score of 8.8 (HIGH), poses a significant risk. The National Vulnerability Database indicates that successful exploitation can lead to kernel instability, denial of service, and potentially achieve privilege escalation, culminating in kernel code execution. This is a direct path to full system compromise.

While the National Vulnerability Database has not specified affected products, any Linux system utilizing ksmbd is a potential target. This isn’t just a crash; it’s a critical remote kernel execution vector that could be leveraged by any authenticated user with directory write access. Defenders need to take this seriously and prepare for patching.

What This Means For You

  • If your Linux systems are running ksmbd, you have a high-severity remote code execution risk. This isn't theoretical; it's a direct path for an attacker with minimal permissions to gain kernel-level control. Prioritize patching immediately once updates are available and review network segmentation to limit ksmbd exposure.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution T1068 Exploitation for Privilege Escalation Privilege Escalation

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-8449: Linux ksmbd Heap Corruption via Crafted DACL

Sigma YAML — free preview 
title: CVE-2026-8449: Linux ksmbd Heap Corruption via Crafted DACL
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
  Detects the exploitation of CVE-2026-8449 by identifying ksmbd activity related to setting ACLs with crafted DACLs. This rule specifically looks for the SMB2_SET_INFO command used in conjunction with ACL manipulation, indicative of the heap out-of-bounds read vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-8449/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: file_event
detection:
  selection:
      Image|contains:
          - 'ksmbd'
      TargetObject|contains:
          - '/acl'
      CommandLine|contains:
          - 'SMB2_SET_INFO'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-8449 Memory Corruption Linux ksmbd
CVE-2026-8449 Memory Corruption Heap out-of-bounds read
CVE-2026-8449 Memory Corruption Heap corruption via crafted DACL with malformed SID (inflated num_subauth field)
CVE-2026-8449 Denial of Service Triggered by creating directory, setting malicious DACL via SMB2_SET_INFO, and creating child entries
CVE-2026-8449 Privilege Escalation Potential kernel code execution via crafted DACL with malformed SID

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Fuji Tellus Driver Grants All Users Kernel R/W: CVE-2026-8108

CVE-2026-8108 — The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.

vulnerabilityCVEhigh-severitycwe-749
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 2 IOCs /⚙ 3 Sigma

MonsterInsights WordPress Plugin Exposes Google OAuth Tokens

CVE-2026-5371 — The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 3 Sigma

ChurchCRM CVE-2026-44548: High-Severity CSRF Allows Silent Record Deletion

CVE-2026-44548 — ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php...

vulnerabilityCVEhigh-severitycwe-352cwe-650
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 3 Sigma