Skip to main content

Linux kernel ksmbd CVE-2026-31476

| EUVDEUVD-2026-24831 HIGH
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-223f-gch2-xvq3
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 23:37 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 23:25 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 14:32 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
8.2 (HIGH)
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24831
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 8.2

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: do not expire session on binding failure

When a multichannel session binding request fails (e.g. wrong password), the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED. However, during binding, sess points to the target session looked up via ksmbd_session_lookup_slowpath() -- which belongs to another connection's user. This allows a remote attacker to invalidate any active session by simply sending a binding request with a wrong password (DoS).

Fix this by skipping session expiration when the failed request was a binding attempt, since the session does not belong to the current connection. The reference taken by ksmbd_session_lookup_slowpath() is still correctly released via ksmbd_user_session_put().

AnalysisAI

Remote unauthenticated denial-of-service in Linux kernel's ksmbd SMB server allows attackers to terminate arbitrary active user sessions by sending crafted multichannel binding requests with invalid credentials. The flaw affects ksmbd (kernel-mode SMB server) across multiple stable kernel branches (6.1.x through 7.0). Vendor patches available for all affected versions. EPSS score of 0.08% (23rd percentile) indicates low observed exploitation likelihood, with no CISA KEV listing or public POC identified at time of analysis. The CVSS 8.2 rating reflects network-accessible attack surface with high availability impact, though actual exploitation requires specific SMB multichannel configuration.

Technical ContextAI

The vulnerability resides in ksmbd, the in-kernel SMB server implementation introduced in Linux 5.15 as a high-performance alternative to userspace Samba. During SMB3 multichannel session binding (RFC 9110 section 3.2.4.1), ksmbd incorrectly handles authentication failures by calling ksmbd_session_lookup_slowpath() to retrieve the target session object, then unconditionally setting sess->state = SMB2_SESSION_EXPIRED in the error path. Because multichannel binding requests reference sessions from other established connections, a failed binding attempt expires the victim's active session rather than rejecting only the binding request. The affected code path processes SMB2_SESSION_SETUP commands with the SESSION_BINDING flag, which are legitimate operations for load balancing and fault tolerance in SMB3 deployments. The flaw represents a state management error where ownership and lifecycle boundaries between connection-local and shared session objects are violated. All stable kernel branches containing ksmbd are affected from initial commit 1da177e4c3f41 through fix commits deployed in 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and mainline 7.0.

RemediationAI

Primary remediation is upgrading to patched kernel versions: 6.1.168+, 6.6.131+, 6.12.80+, 6.18.21+, 6.19.11+, or mainline 7.0+. Distributions should apply vendor-specific kernel updates containing backported fixes (commits listed in git.kernel.org references). Organizations unable to patch immediately should disable ksmbd multichannel support by setting 'multichannel = no' in /etc/ksmbd/ksmbd.conf, which eliminates the vulnerable code path but degrades SMB3 performance and fault tolerance for clients relying on multiple network paths. Alternative compensating control is unloading the ksmbd module ('rmmod ksmbd') and reverting to userspace Samba, though this requires service migration with potential configuration incompatibilities. Network-level mitigation via firewall rules restricting SMB ports (445/TCP, 139/TCP) to trusted source IPs reduces attack surface but does not eliminate risk from insider threats or compromised trusted hosts. Each workaround trades functionality (multichannel, kernel performance) for security - assess business impact before implementing. Verify patch application by checking kernel version ('uname -r') matches fixed release and confirming fix commit presence in deployed kernel source.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31476 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy