Skip to main content

Linux Kernel ksmbd EUVDEUVD-2026-26527

| CVE-2026-31718 CRITICAL
Use After Free (CWE-416)
2026-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:27 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
9.8 (CRITICAL)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 15:02 EUVD
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26527
Analysis Generated
May 01, 2026 - 14:22 vuln.today
CVE Published
May 01, 2026 - 14:16 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger

When a durable file handle survives session disconnect (TCP close without SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the handle for later reconnection. However, it did not clean up the byte-range locks on fp->lock_list.

Later, when the durable scavenger thread times out and calls __ksmbd_close_fd(NULL, fp), the lock cleanup loop did:

spin_lock(&fp->conn->llist_lock);

This caused a slab use-after-free because fp->conn was NULL and the original connection object had already been freed by ksmbd_tcp_disconnect().

The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were left dangling on the freed conn->lock_list while fp->conn was nulled out.

To fix this issue properly, we need to handle the lifetime of smb_lock->clist across three paths:

  • Safely skip clist deletion when list is empty and fp->conn is NULL.
  • Remove the lock from the old connection's lock_list in

session_fd_check()

  • Re-add the lock to the new connection's lock_list in

ksmbd_reopen_durable_fd().

AnalysisAI

Use-after-free in Linux kernel ksmbd (SMB server) during durable file handle scavenging allows memory corruption and potential remote code execution. When a durable SMB2 file handle survives session disconnect, the cleanup path dereferences a freed connection object via NULL fp->conn pointer during lock cleanup, causing a slab use-after-free. Exploitation probability is extremely low (EPSS 0.02%, 5th percentile) with no active exploitation confirmed. Vendor patches available across multiple stable kernel branches (6.12.84, 6.18.25, 7.0.2, 7.1-rc1) address the asymmetric cleanup by properly managing byte-range lock lifetimes during durable handle reconnection.

Technical ContextAI

The vulnerability exists in ksmbd, the in-kernel SMB server implementation introduced in Linux 5.15. Durable file handles (SMB2 protocol feature) allow clients to maintain open file state across temporary disconnects. The bug affects the lock cleanup logic in __ksmbd_close_fd() called by the durable scavenger thread when handles timeout. When session_fd_check() nulls out fp->conn during disconnect but fails to clean up smb_lock entries from conn->lock_list, subsequent scavenger execution attempts to acquire conn->llist_lock through a NULL pointer, accessing previously freed memory. The root cause is a lifetime management bug where lock entries (smb_lock->clist) remain on the freed connection's lock_list while fp->conn is set to NULL, creating dangling pointers. The fix implements proper lock migration: removing locks from the old connection during disconnect and re-adding them to the new connection during durable handle reopening.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.84 or later in the 6.12.x series, 6.18.25 or later in 6.18.x series, 7.0.2 or later in 7.0.x series, or 7.1-rc1+ in mainline. Patches available at https://git.kernel.org/stable/c/b34fc42cfe922e551f7a27d3ac3bb016e41d7dd9 (6.12), https://git.kernel.org/stable/c/3d6682726c2d3a46d31dae88b8166786b09b03ad (6.18), https://git.kernel.org/stable/c/e33c65f011980b4ad4abfd93585ec2079856368f (7.0), and https://git.kernel.org/stable/c/235e32320a470fcd3998fb3774f2290a0eb302a1 (mainline). If immediate patching is not feasible, disable the ksmbd kernel module (rmmod ksmbd; systemctl disable ksmbd or equivalent) and use userspace Samba instead - note this requires service reconfiguration and will disrupt SMB file sharing. Alternatively, disable durable handle support in ksmbd configuration if supported by your version, though this may break compatibility with Windows clients. Restricting network access to SMB ports (445/tcp, 139/tcp) to trusted clients reduces attack surface but does not eliminate risk from authenticated users.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26527 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy