Skip to main content

Linux Kernel CVE-2026-31538

| EUVDEUVD-2026-25431 HIGH
2026-04-24 Linux GHSA-f5hg-hrh7-wfrr
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 28, 2026 - 19:07 vuln.today
cvss_changed
Patch released
Apr 28, 2026 - 18:59 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:27 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.5 (HIGH)
Patch available
Apr 24, 2026 - 16:01 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25431
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:30 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

smb: server: make use of smbdirect_socket.recv_io.credits.available

The logic off managing recv credits by counting posted recv_io and granted credits is racy.

That's because the peer might already consumed a credit, but between receiving the incoming recv at the hardware and processing the completion in the 'recv_done' functions we likely have a window where we grant credits, which don't really exist.

So we better have a decicated counter for the available credits, which will be incremented when we posted new recv buffers and drained when we grant the credits to the peer.

This fixes regression Namjae reported with the 6.18 release.

AnalysisAI

Denial of service in Linux kernel SMB server (ksmbd) affects versions 6.18 through 7.0-rc via race condition in SMBDirect receive credit management. Remote unauthenticated attackers can trigger resource exhaustion through crafted SMB packets exploiting the window between hardware reception and completion processing. Vendor patches released for stable branches 6.18.11, 6.19.1, and mainline 7.0. Low EPSS score (0.02%) indicates limited exploitation interest despite network attack vector and no authentication requirement.

Technical ContextAI

This vulnerability resides in the Linux kernel's ksmbd module, specifically in the SMBDirect (SMB over RDMA) implementation. SMBDirect uses Remote Direct Memory Access to provide high-performance SMB file sharing. The flaw is a classic time-of-check-time-of-use (TOCTOU) race condition in credit management logic. Credits in SMBDirect control flow between client and server by limiting outstanding requests. The vulnerable code counts posted receive I/O operations and granted credits separately, creating a window between when the RDMA hardware receives data and when the recv_done handler processes the completion event. During this window, the server may grant credits that don't correspond to actual available receive buffers, leading to resource accounting errors. The fix introduces a dedicated atomic counter (smbdirect_socket.recv_io.credits.available) that increments when buffers are posted and decrements atomically when credits are granted, eliminating the race. This affects the kernel's file server functionality rather than client operations, and specifically impacts deployments using SMB over RDMA rather than traditional TCP transport.

RemediationAI

Upgrade to patched kernel versions: 6.18.11 or later for the 6.18 stable branch, 6.19.1 or later for 6.19 stable, or 7.0 final release for mainline. Patch commits available at https://git.kernel.org/stable/c/809cbd31aa4f87a1b889532244c9cf30eb022385 (6.18), https://git.kernel.org/stable/c/66c082e3d4651e8629a393a9e182b01eb50fb0a3 (6.19), and https://git.kernel.org/stable/c/26ad87a2cfb8c1384620d1693a166ed87303046e (7.0). If immediate patching is not feasible, disable ksmbd module (modprobe -r ksmbd) and use Samba userspace server instead - this eliminates the vulnerability but requires service migration and may impact RDMA performance optimizations. Alternatively, restrict network access to SMB ports (445/tcp, 5445/tcp) using firewall rules to trusted management networks only, reducing exposure but not eliminating risk from internal threats. For RDMA-specific mitigation, disable SMBDirect transport in ksmbd configuration and fall back to TCP transport - this preserves ksmbd functionality but loses RDMA performance benefits. Monitor for abnormal SMB connection patterns or resource exhaustion in ksmbd process as potential exploitation indicators.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31538 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy