Skip to main content

Linux kernel ksmbd EUVDEUVD-2026-26520

| CVE-2026-31711 HIGH
Memory Leak (CWE-401)
2026-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.5
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:26 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.5 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 15:02 EUVD
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26520
Analysis Generated
May 01, 2026 - 14:22 vuln.today
CVE Published
May 01, 2026 - 14:16 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

smb: server: fix active_num_conn leak on transport allocation failure

Commit 77ffbcac4e56 ("smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()") addressed the kthread_run() failure path. The earlier alloc_transport() == NULL path in the same function has the same leak, is reachable pre-authentication via any TCP connect to port 445, and was empirically reproduced on UML (ARCH=um, v7.0-rc7): a small number of forced allocation failures were sufficient to put ksmbd into a state where every subsequent connection attempt was rejected for the remainder of the boot.

ksmbd_kthread_fn() increments active_num_conn before calling ksmbd_tcp_new_connection() and discards the return value, so when alloc_transport() returns NULL the socket is released and -ENOMEM returned without decrementing the counter. Each such failure permanently consumes one slot from the max_connections pool; once cumulative failures reach the cap, atomic_inc_return() hits the threshold on every subsequent accept and every new connection is rejected. The counter is only reset by module reload.

An unauthenticated remote attacker can drive the server toward the memory pressure that makes alloc_transport() fail by holding open connections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN (0x00FFFFFF); natural transient allocation failures on a loaded host produce the same drift more slowly.

Mirror the existing rollback pattern in ksmbd_kthread_fn(): on the alloc_transport() failure path, decrement active_num_conn gated on server_conf.max_connections.

Repro details: with the patch reverted, forced alloc_transport() NULL returns leaked counter slots and subsequent connection attempts -- including legitimate connects issued after the forced-fail window had closed -- were all rejected with "Limit the maximum number of connections". With this patch applied, the same connect sequence produces no rejections and the counter cycles cleanly between zero and one on every accept.

AnalysisAI

Resource exhaustion in Linux kernel ksmbd server allows remote unauthenticated attackers to permanently deny SMB service by consuming connection slots through forced allocation failures. The vulnerability leaks active_num_conn counter values when alloc_transport() fails during TCP connection setup on port 445, permanently consuming slots from the max_connections pool until module reload. Attackers can accelerate exhaustion by holding open connections with large RFC1002 lengths (up to 16MB) to trigger memory pressure. EPSS score of 0.11% suggests low observed exploitation probability, and no public exploit or CISA KEV listing exists. Vendor patches available for kernel versions 6.6.136, 6.12.84, 7.0.2, and 7.1-rc1.

Technical ContextAI

The ksmbd component implements an in-kernel SMB server for Linux, introduced in kernel 5.15. This vulnerability affects the TCP transport layer initialization in ksmbd_tcp_new_connection() function. The code path involves ksmbd_kthread_fn() pre-incrementing the active_num_conn atomic counter before calling ksmbd_tcp_new_connection(). When alloc_transport() returns NULL due to memory allocation failure, the function exits with -ENOMEM without decrementing the counter, creating a permanent leak. The active_num_conn counter gates new connections against server_conf.max_connections; once leaked slots equal the configured maximum, atomic_inc_return() rejects all subsequent connections. RFC1002 is the NetBIOS session service protocol used by SMB, with MAX_STREAM_PROT_LEN defining the maximum message size (0x00FFFFFF bytes, approximately 16MB). The vulnerability mirrors a similar issue addressed in commit 77ffbcac4e56 for the kthread_run() failure path but was missed in the earlier alloc_transport() error handling.

RemediationAI

Upgrade the Linux kernel to a patched version: 6.6.136 or later in the 6.6.x series, 6.12.84 or later in the 6.12.x series, 7.0.2 or later in the 7.0.x series, or 7.1-rc1 or later in mainline. Patch commit references are available at https://git.kernel.org/stable/c/283027aa93380380a0994f35dde3ec95318f2654 (6.6), https://git.kernel.org/stable/c/295a9fc6789d1011c36ded9f0f2907bb34fa0de4 (6.12), https://git.kernel.org/stable/c/6551300dc452ac16a855a83dbd1e74899542d3b3 (7.0), and https://git.kernel.org/stable/c/97f8d2648ef4871e4cd335e2d769cb40054a6772 (7.1). If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Unload the ksmbd module and use userspace Samba instead (eliminates vulnerability but requires service migration and configuration changes), (2) Restrict TCP port 445 access to trusted networks only via firewall rules (reduces attack surface but may break legitimate remote access), (3) Increase max_connections parameter in ksmbd configuration to provide headroom against organic leaks (delays exhaustion but does not prevent it and increases memory footprint), or (4) Implement connection rate limiting at the network edge to slow deliberate exhaustion attempts (mitigates active attacks but does not address organic allocation failures). Note that temporary mitigation via ksmbd module reload clears the leaked counter but requires service interruption and does not prevent recurrence.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26520 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy