CVE-2026-31409
Use-After-Free in Linux ksmbd Binding State Handling
Publication date: 2026-04-06
Last updated on: 2026-04-27
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability in the Linux kernel's ksmbd component can cause a connection to remain in a binding state incorrectly after a failed SMB2_SESSION_SETUP request with the SMB2_SESSION_REQ_FLAG_BINDING flag. As a result, subsequent session lookup calls fall back to the global sessions table, which may lead to unexpected behavior in SMB session management.
Can you explain this vulnerability to me?
This vulnerability occurs in the Linux kernel's ksmbd component, specifically related to handling multichannel SMB2_SESSION_SETUP requests with the SMB2_SESSION_REQ_FLAG_BINDING flag.
When such a binding request fails, ksmbd incorrectly sets the connection's binding state (conn->binding) to true but does not clear it on the error path. This leaves the connection in an incorrect binding state.
As a result, all subsequent session lookup calls (ksmbd_session_lookup_all()) fall back to the global sessions table instead of the intended binding context. The fix involves clearing the binding state (conn->binding = false) when the binding request fails.