Skip to main content

Linux Kernel CVE-2026-31608

| EUVDEUVD-2026-25501 CRITICAL
Double Free (CWE-415)
2026-04-24 Linux GHSA-qx6q-mqg9-4px7
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 29, 2026 - 20:07 vuln.today
cvss_changed
Patch released
Apr 29, 2026 - 20:03 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:34 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
9.8 (CRITICAL)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25501
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list()

smb_direct_flush_send_list() already calls smb_direct_free_sendmsg(), so we should not call it again after post_sendmsg() moved it to the batch list.

AnalysisAI

A double-free vulnerability in the Linux kernel's SMB Direct (RDMA transport) server implementation allows remote unauthenticated attackers to trigger memory corruption with high CVSS 9.8 severity. The flaw occurs when smb_direct_free_sendmsg() is called twice on the same memory region after smb_direct_flush_send_list() moves messages to a batch list. Vendor patches available across kernel versions 6.18.24, 6.19.14, and 7.0.1, with upstream commits confirmed in stable branches. Despite critical CVSS scoring, EPSS probability remains very low at 0.02% (4th percentile) and no active exploitation or public POC identified, suggesting limited real-world targeting of this SMB Direct RDMA feature.

Technical ContextAI

This vulnerability affects the Linux kernel's implementation of SMB Direct, which provides RDMA (Remote Direct Memory Access) transport for SMB3 file sharing protocol. The affected code path involves the smb_direct_flush_send_list() function that manages batched message sending over RDMA connections. When messages are moved to the batch list during post_sendmsg() operations, the memory cleanup function smb_direct_free_sendmsg() gets called redundantly, creating a use-after-free condition where the same memory region is freed twice. This represents a classic double-free vulnerability pattern that can corrupt kernel heap structures. The CPE strings indicate broad kernel impact across Linux versions, though the EUVD data shows specific affected version ranges starting from early kernel commit 1da177e4c3f4 through multiple stable branches requiring patches in 6.18.24, 6.19.14, and 7.0.1 series.

RemediationAI

Apply vendor-released patches for your kernel stable branch: upgrade to Linux 6.18.24, 6.19.14, 7.0.1, or later versions that include upstream fixes from commits 6968c91fab05, 2ba03f46132b, 830de6eeb9db, or 84ff995ae826. Patches backported across stable branches and available through standard distribution security update channels. If immediate patching is not feasible for RDMA-enabled SMB servers, disable SMB Direct/RDMA transport in ksmbd configuration by removing rdma_transform_id from server settings and restricting to TCP transport only (trade-off: loss of RDMA performance benefits but eliminates attack surface). Alternative compensating control: migrate from in-kernel ksmbd to user-space Samba daemon which uses separate code path unaffected by this kernel vulnerability (trade-off: requires service migration and configuration changes). Network-level mitigation: restrict SMB Direct RDMA ports (typically TCP 5445) to trusted management networks only using host firewall rules, though this only reduces exposure rather than eliminating the vulnerability. For non-RDMA environments or systems not running ksmbd, this vulnerability presents no risk and standard patch cadence applies.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31608 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy