Skip to main content

Linux Kernel CVE-2026-31535

| EUVDEUVD-2026-25428 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-04-24 Linux GHSA-4w64-3hfc-pgqc
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 19:22 vuln.today
CVSS changed
Apr 28, 2026 - 19:22 NVD
4.7 (MEDIUM)
Patch released
Apr 28, 2026 - 19:14 nvd
Patch available
Patch available
Apr 24, 2026 - 16:01 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25428
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:30 nvd
MEDIUM 4.7

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

smb: client: make use of smbdirect_socket.recv_io.credits.available

The logic off managing recv credits by counting posted recv_io and granted credits is racy.

That's because the peer might already consumed a credit, but between receiving the incoming recv at the hardware and processing the completion in the 'recv_done' functions we likely have a window where we grant credits, which don't really exist.

So we better have a decicated counter for the available credits, which will be incremented when we posted new recv buffers and drained when we grant the credits to the peer.

AnalysisAI

A race condition in the Linux kernel SMB client's recv_io credit management allows local authenticated users to cause a denial of service through timing-sensitive credit accounting between incoming data reception and completion processing. The vulnerability affects SMBDirect socket credit handling where credits may be granted to peers before corresponding recv buffers are actually posted, creating a window where credit accounting becomes inconsistent. Exploitation requires local access and moderate complexity but is not confirmed as actively exploited (not listed in CISA KEV).

Technical ContextAI

This vulnerability exists in the SMB client implementation of the Linux kernel, specifically in the SMBDirect (SMB over RDMA/TCP) socket credit management mechanism. SMB credit systems regulate data flow between client and server by limiting concurrent operations; the vulnerability (CWE-367, race condition) occurs in the logic that manages 'recv credits' - the number of recv buffers available to receive data. The code incorrectly tracks credits by counting posted recv_io operations and granted credits, creating a time-of-check-time-of-use (TOCTOU) window. Between when incoming data arrives at the hardware level and when the completion handler processes it, the kernel may grant credits to the peer that don't actually exist because the hardware has consumed them but the kernel hasn't updated its accounting. The fix introduces a dedicated 'smbdirect_socket.recv_io.credits.available' counter that increments only when new recv buffers are posted and decrements when credits are actually granted, eliminating the race condition.

RemediationAI

Vendor-released patch: Linux kernel versions 6.18.11, 6.19.1, 7.0 or later contain the fix. System administrators should upgrade to the patched kernel version appropriate for their distribution and kernel branch. For distributions on the 6.18 Long-Term Support branch, upgrade to 6.18.11 or later; for 6.19 branch systems, upgrade to 6.19.1 or later; for newer systems, upgrade to 7.0 or later. The fix is available in upstream stable kernel repositories at https://git.kernel.org/stable/ (commits f664e6e8a81103cb45c8802a9bc7499e0902c458, be8845ad5d6558703d20567d8702155598325db8, and 9911b1ed187a770a43950bf51f340ad4b7beecba). Until patching is completed, users not relying on SMB client functionality can disable the CIFS/SMB client module (CONFIG_CIFS=n), though this eliminates SMB mounting capability entirely. No other workarounds are available due to the race condition's location in core credit management logic.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31535 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy