Skip to main content

Linux Kernel ksmbd EUVDEUVD-2026-24776

| CVE-2026-31444 CRITICAL
Use After Free (CWE-416)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-8vw8-r4jr-vp93
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:26 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
9.8 (CRITICAL)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 22, 2026 - 16:02 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24776
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free and NULL deref in smb_grant_oplock()

smb_grant_oplock() has two issues in the oplock publication sequence:

  1. opinfo is linked into ci->m_op_list (via opinfo_add) before

add_lease_global_list() is called. If add_lease_global_list() fails (kmalloc returns NULL), the error path frees the opinfo via __free_opinfo() while it is still linked in ci->m_op_list. Concurrent m_op_list readers (opinfo_get_list, or direct iteration in smb_break_all_levII_oplock) dereference the freed node.

  1. opinfo->o_fp is assigned after add_lease_global_list() publishes

the opinfo on the global lease list. A concurrent find_same_lease_key() can walk the lease list and dereference opinfo->o_fp->f_ci while o_fp is still NULL.

Fix by restructuring the publication sequence to eliminate post-publish failure:

  • Set opinfo->o_fp before any list publication (fixes NULL deref).
  • Preallocate lease_table via alloc_lease_table() before opinfo_add()

so add_lease_global_list() becomes infallible after publication.

  • Keep the original m_op_list publication order (opinfo_add before

lease list) so concurrent opens via same_client_has_lease() and opinfo_get_list() still see the in-flight grant.

  • Use opinfo_put() instead of __free_opinfo() on err_out so that

the RCU-deferred free path is used.

This also requires splitting add_lease_global_list() to take a preallocated lease_table and changing its return type from int to void, since it can no longer fail.

AnalysisAI

Use-after-free and NULL pointer dereference vulnerabilities in Linux kernel's ksmbd SMB server allow remote unauthenticated attackers to achieve arbitrary code execution, information disclosure, or denial of service. The flaws occur during oplock (opportunistic lock) publication when error handling frees memory still referenced by concurrent readers, and when global lease lists are accessed before critical pointers are initialized. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), this represents a critical remote attack surface, though EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation activity. Vendor patches are available across affected kernel versions 6.6.130-6.19.9.

Technical ContextAI

The ksmbd module is the Linux kernel's in-kernel SMB (Server Message Block) server implementation, providing Windows-compatible file sharing services. This vulnerability affects the oplock (opportunistic locking) mechanism in smb_grant_oplock(), which manages file locking optimizations for SMB clients. The root cause involves race conditions during the publication of opinfo structures to multiple concurrent data structures (ci->m_op_list and global lease lists). The first issue is a classic use-after-free where memory allocation failure in add_lease_global_list() triggers __free_opinfo() on an opinfo already linked into ci->m_op_list, leaving a dangling pointer accessible to concurrent readers like opinfo_get_list() and smb_break_all_levII_oplock(). The second issue is a time-of-check-time-of-use (TOCTOU) NULL pointer dereference where opinfo->o_fp is assigned after the opinfo is published to the global lease list, creating a window where find_same_lease_key() can traverse the list and dereference opinfo->o_fp->f_ci while o_fp is still NULL. The fix restructures the publication sequence to ensure all pointers are initialized and memory is preallocated before any publication, making subsequent operations infallible and eliminating the race windows.

RemediationAI

Apply vendor-released patches immediately for systems running ksmbd. Upgrade to Linux kernel 6.19.11 or later (for 6.19.x branch), 6.18.21 or later (for 6.18.x branch), 6.12.80 or later (for 6.12.x branch), or 6.6.131 or later (for 6.6.x LTS branch). Patches are available at git.kernel.org stable repository with specific commit identifiers: 48623ec358c1 (6.19.x), 6d7e5a918c1d (6.18.x), a5c6f6d6ceef (mainline), 7de55bba69cb (6.12.x), and 9e785f004cbc (6.6.x). If immediate patching is not feasible, disable the ksmbd module entirely using 'rmmod ksmbd' and 'echo blacklist ksmbd >> /etc/modprobe.d/blacklist.conf' to prevent autoloading. Alternative workaround: restrict ksmbd network exposure by binding SMB services only to trusted internal networks via firewall rules blocking TCP ports 445 and 139 from untrusted networks. Note that disabling ksmbd will break SMB file sharing functionality - organizations dependent on ksmbd should prioritize emergency patching over workarounds. Switching to userspace Samba (smbd) provides functional equivalence without this vulnerability but requires reconfiguration of share definitions and may have performance implications for high-throughput scenarios where ksmbd's kernel-space implementation was chosen for efficiency.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-24776 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy