CVE-2026-31409
Analyzed Analyzed - Analysis Complete
Use-After-Free in Linux ksmbd Binding State Handling

Publication date: 2026-04-06

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset conn->binding on failed binding request When a multichannel SMB2_SESSION_SETUP request with SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true but never clears it on the error path. This leaves the connection in a binding state where all subsequent ksmbd_session_lookup_all() calls fall back to the global sessions table. This fix it by clearing conn->binding = false in the error path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31409
EUVD
EUVD-2026-19195
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.20 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.10 (exc)
linux linux_kernel From 5.15 (inc) to 6.1.167 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability in the Linux kernel's ksmbd component can cause a connection to remain in a binding state incorrectly after a failed SMB2_SESSION_SETUP request with the SMB2_SESSION_REQ_FLAG_BINDING flag. As a result, subsequent session lookup calls fall back to the global sessions table, which may lead to unexpected behavior in SMB session management.

Executive Summary

This vulnerability occurs in the Linux kernel's ksmbd component, specifically related to handling multichannel SMB2_SESSION_SETUP requests with the SMB2_SESSION_REQ_FLAG_BINDING flag.

When such a binding request fails, ksmbd incorrectly sets the connection's binding state (conn->binding) to true but does not clear it on the error path. This leaves the connection in an incorrect binding state.

As a result, all subsequent session lookup calls (ksmbd_session_lookup_all()) fall back to the global sessions table instead of the intended binding context. The fix involves clearing the binding state (conn->binding = false) when the binding request fails.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31409. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart