Skip to main content

Linux Kernel EUVDEUVD-2026-25502

| CVE-2026-31609 CRITICAL
Double Free (CWE-415)
2026-04-24 Linux GHSA-rc8c-94m4-frfh
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 29, 2026 - 16:52 vuln.today
cvss_changed
Patch released
Apr 29, 2026 - 16:45 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:35 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
9.8 (CRITICAL)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25502
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

smb: client: avoid double-free in smbd_free_send_io() after smbd_send_batch_flush()

smbd_send_batch_flush() already calls smbd_free_send_io(), so we should not call it again after smbd_post_send() moved it to the batch list.

AnalysisAI

Double-free memory corruption in the Linux kernel SMB client (smbd) allows remote unauthenticated attackers to achieve arbitrary code execution, confidentiality breach, and denial of service. The vulnerability occurs when smbd_free_send_io() is erroneously called twice after smbd_send_batch_flush() operations, creating use-after-free conditions. Exploitation probability is low (EPSS 0.02%, 4th percentile) with no confirmed active exploitation or public POC, but the critical CVSS 9.8 score reflects the severe potential impact if network-accessible SMB client operations are triggered. Vendor patches available for kernel versions 6.18.24, 6.19.14, and 7.0.1.

Technical ContextAI

This vulnerability affects the Linux kernel's SMB client implementation (CIFS/SMB2/SMB3 protocol handler), specifically in the smbd (SMB Direct) send path for RDMA-based SMB transfers. The double-free occurs in the smbd_free_send_io() function when invoked after smbd_post_send() moves a send operation to the batch list, despite smbd_send_batch_flush() already having freed the same memory region. Double-free vulnerabilities are memory corruption bugs where the same memory is deallocated multiple times, potentially allowing attackers to manipulate heap metadata, corrupt adjacent memory structures, or achieve code execution through heap exploitation techniques. The affected CPE cpe:2.3:a:linux:linux indicates this is a Linux kernel component vulnerability. Without CWE classification, the specific weakness class isn't formally documented, but this matches classic CWE-415 (Double Free) patterns. RDMA (Remote Direct Memory Access) SMB Direct operations are less commonly deployed than standard TCP-based SMB, which may limit real-world exposure despite the network attack vector.

RemediationAI

Apply vendor-provided kernel updates immediately: upgrade to Linux kernel 6.18.24 (for 6.18.x series), 6.19.14 (for 6.19.x series), or 7.0.1 (for 7.0.x series) or later versions that include commits a9940dcbe5cb, 22b7c1c619d8, or f9a162c2bbcd from https://git.kernel.org/stable/. For distributions using LTS kernels, apply security updates from your distribution's package manager when available. If immediate patching is not feasible, disable SMB Direct (RDMA) functionality by unloading the smbdirect kernel module with 'modprobe -r smbdirect' and preventing auto-load via blacklist in /etc/modprobe.d/. This workaround eliminates the vulnerable code path but disables RDMA performance optimizations for SMB workloads, requiring fallback to TCP transport with potential performance degradation in high-throughput storage scenarios. For systems not using SMB client functionality, disable the CIFS/SMB client entirely via 'modprobe -r cifs' and firewall rules blocking outbound SMB ports (445/tcp, 139/tcp). Network segmentation should isolate systems requiring SMB client access to trusted storage networks only, blocking direct internet exposure.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-25502 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy