Skip to main content

Linux Kernel CVE-2026-31539

| EUVDEUVD-2026-25432 HIGH
2026-04-24 Linux GHSA-vm72-v475-frvx
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 28, 2026 - 19:07 vuln.today
cvss_changed
Patch released
Apr 28, 2026 - 18:54 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:27 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.5 (HIGH)
Patch available
Apr 24, 2026 - 16:01 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25432
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:30 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

smb: smbdirect: introduce smbdirect_socket.recv_io.credits.available

The logic off managing recv credits by counting posted recv_io and granted credits is racy.

That's because the peer might already consumed a credit, but between receiving the incoming recv at the hardware and processing the completion in the 'recv_done' functions we likely have a window where we grant credits, which don't really exist.

So we better have a decicated counter for the available credits, which will be incremented when we posted new recv buffers and drained when we grant the credits to the peer.

AnalysisAI

Race condition in Linux kernel SMB Direct receive credit management allows remote denial of service against SMB3 network storage services. The flaw enables remote unauthenticated attackers to exhaust receive buffer credits through timing exploitation of the gap between hardware packet reception and completion processing, causing service disruption. EPSS exploitation probability is low (0.02%, 4th percentile), and patches are available from kernel.org for versions 6.18.x, 6.19.x, and 7.0. This affects only systems using SMB Direct (RDMA-enabled SMB3), not standard SMB implementations.

Technical ContextAI

SMB Direct is an optional transport protocol for SMB3 that uses Remote Direct Memory Access (RDMA) over InfiniBand, RoCE, or iWARP to accelerate network storage performance. The vulnerability exists in the smbdirect_socket receive credit accounting mechanism. Credits control flow control in RDMA transports - the receiver grants credits to the sender indicating available buffer space. The race condition occurs because the kernel counts posted recv_io operations and granted credits separately, creating a window between when the RDMA hardware receives a packet and when the recv_done completion handler processes it. During this window, the code may grant credits that don't correspond to actual available receive buffers, allowing the peer to send more data than the receiver can handle. The patch introduces a dedicated smbdirect_socket.recv_io.credits.available atomic counter that is incremented when buffers are posted and decremented when credits are granted, eliminating the race through proper synchronization.

RemediationAI

Update to patched kernel versions: 6.18.11 or later for 6.18.x series, 6.19.1 or later for 6.19.x series, or 7.0 for mainline tracking. Kernel source patches available at git.kernel.org commit references e811e60e1cc7 (6.18), f99996870222 (6.19), and 6e3c5052f968 (mainline). Organizations unable to patch immediately should disable SMB Direct RDMA transport by unloading the rdma kernel modules (modprobe -r smbdirect, ib_core) or configuring SMB clients/servers to use standard TCP transport instead, accepting the performance penalty - this completely eliminates exposure as the vulnerable code path is only active for RDMA connections. Firewall rules blocking RDMA ports (typically InfiniBand subnet manager on UDP 4789 or RoCE on configurable ports) provide network-level mitigation but may affect legitimate RDMA storage traffic. Monitor kernel logs for SMB Direct connection errors or credit exhaustion messages as potential exploitation indicators. Test RDMA functionality after mitigation as disabling can break storage connectivity in HPC or converged infrastructure environments.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31539 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy