Skip to main content

Linux Kernel ksmbd CVE-2026-31409

| EUVDEUVD-2026-19195 HIGH
2026-04-06 Linux GHSA-5qj3-gjq7-62fm
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 27, 2026 - 14:23 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
8.8 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
282343cf8a4a5a3603b1cb0e17a7083e4a593b03,89afe5e2dbea6e9d8e5f11324149d06fa3a4efca,6ebef4a220a1ebe345de899ebb9ae394206fe921
EUVD ID Assigned
Apr 06, 2026 - 08:15 euvd
EUVD-2026-19195
CVE Published
Apr 06, 2026 - 07:38 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: unset conn->binding on failed binding request

When a multichannel SMB2_SESSION_SETUP request with SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true but never clears it on the error path. This leaves the connection in a binding state where all subsequent ksmbd_session_lookup_all() calls fall back to the global sessions table. This fix it by clearing conn->binding = false in the error path.

AnalysisAI

Session hijacking in Linux kernel ksmbd SMB server allows authenticated network attackers to escalate privileges and access arbitrary sessions via failed multichannel binding requests. When SMB2_SESSION_SETUP with SMB2_SESSION_REQ_FLAG_BINDING fails, ksmbd incorrectly leaves the connection in a binding state, causing all subsequent session lookups to fall back to the global sessions table instead of connection-specific sessions. This enables attackers to access sessions across different connections, potentially leading to unauthorized data access and privilege escalation. Exploitation probability is extremely low (EPSS 0.01%, 1st percentile) with no public exploits or CISA KEV listing. Patches available for kernel versions 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, and mainline 7.0-rc5.

Technical ContextAI

The vulnerability resides in ksmbd, the in-kernel SMB server implementation introduced in Linux kernel 5.15. ksmbd supports SMB3 multichannel, which allows clients to establish multiple TCP connections for a single session to improve performance and reliability. During multichannel binding (SMB2_SESSION_SETUP with the SMB2_SESSION_REQ_FLAG_BINDING flag), ksmbd sets conn->binding = true to indicate the connection is undergoing binding. The flaw occurs in the error handling path: when binding fails (e.g., due to authentication errors, resource exhaustion, or protocol violations), ksmbd fails to reset conn->binding to false. This leaves the connection permanently in a 'binding' state. Subsequent calls to ksmbd_session_lookup_all() on this connection bypass the normal connection-scoped session lookup and instead search the global sessions table, which contains sessions from all connections. This breaks the session isolation model, allowing an attacker with one authenticated connection to potentially access sessions belonging to other users or connections. The root cause is incomplete state management in error paths, a common pattern in complex protocol implementations.

RemediationAI

Upgrade to patched Linux kernel versions: 6.1.167 or later for the 6.1.x LTS series, 6.6.130 or later for 6.6.x LTS, 6.12.78 or later for 6.12.x stable, 6.18.20 or later for 6.18.x, 6.19.10 or later for 6.19.x, or 7.0-rc5 or later for mainline. Patches available from kernel.org stable tree at the URLs listed in references. For systems unable to immediately patch, disable ksmbd multichannel support by setting 'multichannel = no' in ksmbd configuration (/etc/ksmbd/smb.conf or equivalent), though this eliminates performance benefits and may break clients requiring multichannel. Alternatively, disable ksmbd entirely (rmmod ksmbd) and use Samba instead if SMB server functionality is required, though this requires significant reconfiguration and may impact performance in embedded environments where ksmbd is preferred for lower resource usage. If ksmbd must remain enabled with multichannel, restrict SMB access to trusted networks only via firewall rules (block TCP 445/139 from untrusted sources) to limit attacker authentication opportunities, though this does not eliminate risk from insider threats or compromised credentials. Monitor ksmbd logs for repeated binding failures which may indicate exploitation attempts. Note that disabling multichannel may cause connection issues for Windows 10/11 clients configured to require it.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31409 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy