Skip to main content

Linux ksmbd EUVDEUVD-2026-26526

| CVE-2026-31717 HIGH
2026-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:26 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
8.8 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 15:02 EUVD
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26526
Analysis Generated
May 01, 2026 - 14:22 vuln.today
CVE Published
May 01, 2026 - 14:16 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: validate owner of durable handle on reconnect

Currently, ksmbd does not verify if the user attempting to reconnect to a durable handle is the same user who originally opened the file. This allows any authenticated user to hijack an orphaned durable handle by predicting or brute-forcing the persistent ID.

According to MS-SMB2, the server MUST verify that the SecurityContext of the reconnect request matches the SecurityContext associated with the existing open. Add a durable_owner structure to ksmbd_file to store the original opener's UID, GID, and account name. and catpure the owner information when a file handle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner() to validate the identity of the requester during SMB2_CREATE (DHnC).

AnalysisAI

Authentication bypass in Linux kernel's ksmbd SMB server allows any authenticated SMB user to hijack orphaned durable file handles by predicting persistent IDs, enabling unauthorized file access with the original owner's privileges. The flaw violates MS-SMB2 requirements for SecurityContext validation during durable handle reconnection. Vendor patches are available across multiple stable kernel branches (6.18.25, 7.0.2, 7.1-rc1). EPSS exploitation probability is low at 0.02% (4th percentile), and no active exploitation or public POC has been identified. CVSS 8.8 reflects high impact but requires low-privilege authentication.

Technical ContextAI

This vulnerability affects ksmbd, the in-kernel SMB3 server implementation introduced in Linux 5.15. Durable handles are an SMB2+ feature allowing clients to maintain file access across network interruptions or client reconnections. Per MS-SMB2 specification section 3.3.5.9, servers must verify that the SecurityContext (authentication credentials) of a reconnection request matches the original opener's context. The ksmbd implementation failed to capture and validate the original opener's UID, GID, and account name when processing SMB2_CREATE requests with Durable Handle Reconnect (DHnC) flags. This created a time-of-check-to-time-of-use (TOCTOU) race where orphaned handles (from disconnected sessions) remained accessible without ownership verification. The patch introduces a durable_owner structure to ksmbd_file and implements ksmbd_vfs_compare_durable_owner() for identity validation during handle reconnection attempts.

RemediationAI

Primary remediation is upgrading to patched kernel versions: 6.18.25, 7.0.2, or 7.1-rc1 and later from the stable kernel tree. Enterprise Linux users should apply distribution-specific updates when available through their vendor's security update channels (e.g., Red Hat RHSA, Ubuntu USN, SUSE SUSE-SU advisories). Organizations unable to immediately patch can implement these compensating controls: (1) Disable ksmbd module entirely if not required (rmmod ksmbd and blacklist in /etc/modprobe.d/), noting this eliminates all in-kernel SMB server functionality; (2) Restrict SMB client access to trusted networks only via firewall rules on TCP 445/139, accepting the trade-off of reduced remote accessibility; (3) Limit SMB user accounts to least-privilege access and implement strict file ACLs, reducing impact of handle hijacking but not preventing the vulnerability; (4) Monitor kernel logs for unusual SMB2_CREATE DHnC requests from unexpected users via auditd rules, though this provides detection not prevention. The durable handle timeout setting cannot mitigate this issue as orphaned handles remain vulnerable during their entire lifetime. Patching remains the only complete fix. Reference: https://git.kernel.org/stable/c/c908c853f304a4969b5aa10eba0b50350cc65b80

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26526 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy