Skip to main content

Linux Kernel CVE-2026-31536

| EUVDEUVD-2026-25429 CRITICAL
2026-04-24 Linux GHSA-pgx3-cx3f-6g2v
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 28, 2026 - 19:22 vuln.today
cvss_changed
Patch released
Apr 28, 2026 - 19:10 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:27 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
9.8 (CRITICAL)
Patch available
Apr 24, 2026 - 16:01 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25429
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:30 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

smb: server: let send_done handle a completion without IB_SEND_SIGNALED

With smbdirect_send_batch processing we likely have requests without IB_SEND_SIGNALED, which will be destroyed in the final request that has IB_SEND_SIGNALED set.

If the connection is broken all requests are signaled even without explicit IB_SEND_SIGNALED.

AnalysisAI

Use-after-free in Linux kernel SMB server (ksmbd) RDMA handling allows remote unauthenticated attackers to execute arbitrary code, escalate privileges, or crash the system via crafted SMB Direct connections. The vulnerability arises when batched RDMA send operations without IB_SEND_SIGNALED flags are prematurely freed during connection failures, causing memory corruption. Vendor patches are available for kernel versions 6.18.11, 6.19.1, and 7.0. EPSS score of 0.02% suggests low observed exploitation probability, and no active exploitation or public POC is confirmed at time of analysis, though the critical CVSS score (9.8) reflects severe potential impact if the SMB Direct feature is enabled.

Technical ContextAI

This vulnerability affects the Linux kernel's ksmbd module, specifically the SMB Direct (SMBDirect) implementation which uses RDMA (Remote Direct Memory Access) over InfiniBand for high-performance SMB file sharing. The issue occurs in the send_done completion handler when processing batched RDMA send requests. In RDMA operations, IB_SEND_SIGNALED is a flag that requests completion notifications for send operations. The ksmbd implementation batches multiple send operations where only the final request carries IB_SEND_SIGNALED for efficiency. However, when a connection breaks unexpectedly, the RDMA layer signals completions for all pending requests regardless of the IB_SEND_SIGNALED flag. The vulnerable code path fails to handle this scenario correctly, leading to premature destruction of request structures that were expected to be freed only with the final signaled completion. This creates a classic use-after-free condition where memory is accessed after being deallocated. The affected code paths are in the SMB server's RDMA transport layer, which is only active when SMB Direct is configured and enabled. The CPE strings indicate broad kernel version exposure from the initial Git commit 1da177e4c3f4 (kernel 2.6.12-rc2, 2005) through current versions, though SMBDirect support was added much later, making the practical exposure window narrower than CPE suggests.

RemediationAI

Upgrade to patched Linux kernel versions 6.18.11, 6.19.1, or 7.0 or later as documented in the upstream Git commits referenced at https://git.kernel.org/stable/c/24082642654f3e5149913946e89c00a297a8868f, https://git.kernel.org/stable/c/9da82dc73cb03e85d716a2609364572367a5ff47, and https://git.kernel.org/stable/c/e38b415c024bc3b6321bf8650dbf3f4aab8e74b3. Organizations unable to immediately patch should disable the ksmbd module entirely via 'modprobe -r ksmbd' if not required for production workloads, or specifically disable SMB Direct RDMA support by removing RDMA-capable network interface configurations from ksmbd.conf and restarting the service. If ksmbd with RDMA must remain operational, implement network segmentation to restrict SMB Direct connections (TCP port 445 with RDMA) to trusted administrative networks only via firewall rules, though this significantly reduces the performance benefits of RDMA deployment. Note that disabling ksmbd does not affect standard Samba (smbd) deployments which use separate userspace implementations. For high-performance computing environments where ksmbd RDMA is mission-critical, prioritize emergency patching during the next available maintenance window, as the workarounds eliminate the primary value proposition of the technology.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31536 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy