Skip to main content

Linux Kernel ksmbd CVE-2026-31718

| EUVD-2026-26527 CRITICAL
Use After Free (CWE-416)
2026-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Information Disclosure Linux Use After Free Memory Corruption
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:27 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
9.8 (CRITICAL)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 15:02 EUVD
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26527
Analysis Generated
May 01, 2026 - 14:22 vuln.today
CVE Published
May 01, 2026 - 14:16 nvd
CRITICAL 9.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger

When a durable file handle survives session disconnect (TCP close without SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the handle for later reconnection. However, it did not clean up the byte-range locks on fp->lock_list.

Later, when the durable scavenger thread times out and calls __ksmbd_close_fd(NULL, fp), the lock cleanup loop did:

spin_lock(&fp->conn->llist_lock);

This caused a slab use-after-free because fp->conn was NULL and the original connection object had already been freed by ksmbd_tcp_disconnect().

The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were left dangling on the freed conn->lock_list while fp->conn was nulled out.

To fix this issue properly, we need to handle the lifetime of smb_lock->clist across three paths:

  • Safely skip clist deletion when list is empty and fp->conn is NULL.
  • Remove the lock from the old connection's lock_list in

session_fd_check()

  • Re-add the lock to the new connection's lock_list in

ksmbd_reopen_durable_fd().

AnalysisAI

Use-after-free in Linux kernel ksmbd (SMB server) during durable file handle scavenging allows memory corruption and potential remote code execution. When a durable SMB2 file handle survives session disconnect, the cleanup path dereferences a freed connection object via NULL fp->conn pointer during lock cleanup, causing a slab use-after-free. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all Linux systems running ksmbd (check kernel version via 'uname -r' and verify SMB server status). Within 7 days: Apply vendor-released patches-specifically kernel versions 6.12.84, 6.18.25, 7.0.2, or 7.1-rc1 depending on current branch, through standard distribution update mechanisms (apt update && apt upgrade, yum update, or equivalent). …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-47334 MEDIUM
5.5 May 28

Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect
CVE-2026-47335 MEDIUM
5.5 May 28

Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authentic
CVE-2026-47327 LOW
3.3 May 28

NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash th
CVE-2026-47337 LOW
3.3 May 28

NULL pointer dereference in Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) allows an unprivileged local
CVE-2026-45844
May 27

In the Linux kernel, the following vulnerability has been resolved: netfilter: arp_tables: fix IEEE1394 ARP payload par

Vendor StatusVendor

Share

CVE-2026-31718 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy