Skip to main content

Linux Kernel ksmbd CVE-2026-31477

| EUVDEUVD-2026-24833 HIGH
NULL Pointer Dereference (CWE-476)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-crxr-hqjj-5w24
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 23:37 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 23:24 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 14:33 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.5 (HIGH)
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24833
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix memory leaks and NULL deref in smb2_lock()

smb2_lock() has three error handling issues after list_del() detaches smb_lock from lock_list at no_check_cl:

  1. If vfs_lock_file() returns an unexpected error in the non-UNLOCK

path, goto out leaks smb_lock and its flock because the out: handler only iterates lock_list and rollback_list, neither of which contains the detached smb_lock.

  1. If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out

leaks smb_lock and flock for the same reason. The error code returned to the dispatcher is also stale.

  1. In the rollback path, smb_flock_init() can return NULL on

allocation failure. The result is dereferenced unconditionally, causing a kernel NULL pointer dereference. Add a NULL check to prevent the crash and clean up the bookkeeping; the VFS lock itself cannot be rolled back without the allocation and will be released at file or connection teardown.

Fix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before the if(!rc) check in the UNLOCK branch so all exit paths share one free site, and by freeing smb_lock and flock before goto out in the non-UNLOCK branch. Propagate the correct error code in both cases. Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding a NULL check for locks_free_lock(rlock) in the shared cleanup.

Found via call-graph analysis using sqry.

AnalysisAI

Memory exhaustion and kernel crash in Linux kernel's ksmbd SMB server allows remote unauthenticated denial of service via crafted lock requests. The smb2_lock() function contains three critical error-handling defects: memory leaks when vfs_lock_file() returns unexpected errors, stale error propagation in UNLOCK operations, and NULL pointer dereference during rollback when smb_flock_init() allocation fails. CVSS vector indicates network-accessible, low-complexity exploitation requiring no authentication. EPSS score of 0.02% (7th percentile) suggests minimal observed scanning activity, and no KEV listing confirms no widespread exploitation detected. However, the network attack vector (AV:N) and high availability impact (A:H) make this a realistic DoS risk for systems running ksmbd. Vendor patches available across stable kernel series 5.15-6.19.

Technical ContextAI

This vulnerability affects ksmbd, the in-kernel SMB3 server implementation introduced in Linux 5.15 as a performance-optimized alternative to user-space Samba. The flaw exists in fs/smb/server/smb2pdu.c's smb2_lock() function, which handles SMB2 opportunistic lock and byte-range lock operations. When list_del() detaches a lock structure from the tracking list, three code paths fail to properly manage memory: (1) unexpected vfs_lock_file() errors in non-UNLOCK operations leak both the smb_lock structure and its associated flock, (2) ENOENT returns during UNLOCK operations leak the same structures while propagating stale error codes, and (3) smb_flock_init() allocation failures during rollback cause unchecked NULL dereference when attempting locks_free_lock(). The root causes combine improper resource management after detachment from tracking lists, missing error propagation, and absent NULL validation-patterns typical of CWE-401 (Missing Release of Memory) and CWE-476 (NULL Pointer Dereference), though no CWE was formally assigned. The vulnerability surfaces through the SMB2 protocol's lock management interface, exposing kernel memory management to remote influence.

RemediationAI

Upgrade to patched Linux kernel versions: 5.15.x to latest stable, 6.1.168 or later, 6.6.131 or later, 6.12.80 or later, 6.18.21 or later, 6.19.11 or later, or mainline 7.0+. Patch commits available at https://git.kernel.org/stable/c/aab42f0795620cf0d3955a520f571f697d0f9a2a (mainline) and distribution-specific backports. If immediate patching is infeasible, disable ksmbd service via 'systemctl stop ksmbd' and 'modprobe -r ksmbd' to eliminate attack surface-this breaks SMB file sharing functionality and requires migrating to user-space Samba or alternative protocols. Alternatively, restrict ksmbd network exposure using firewall rules to block TCP ports 445 and 139 from untrusted networks (iptables -A INPUT -p tcp --dport 445 -s untrusted_network -j DROP), though this only reduces attack surface and does not address authenticated threat scenarios if credentials are compromised. Network-level filtering incurs no performance penalty but requires maintaining ACLs as network topology changes. For container environments, ensure base images use patched kernel versions and validate ksmbd module status during security scanning. No application-layer configuration changes mitigate this kernel-level flaw.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31477 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy