CVE-2026-31409
Use-After-Free in Linux ksmbd Binding State Handling
Publication date: 2026-04-06
Last updated on: 2026-05-20
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.2 (inc) to 6.6.130 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.78 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.20 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.10 (exc) |
| linux | linux_kernel | From 5.15 (inc) to 6.1.167 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Linux kernel's ksmbd component, specifically related to handling multichannel SMB2_SESSION_SETUP requests with the SMB2_SESSION_REQ_FLAG_BINDING flag.
When such a binding request fails, ksmbd incorrectly sets the connection's binding state (conn->binding) to true but does not clear it on the error path. This leaves the connection in an incorrect binding state.
As a result, all subsequent session lookup calls (ksmbd_session_lookup_all()) fall back to the global sessions table instead of the intended binding context. The fix involves clearing the binding state (conn->binding = false) when the binding request fails.
How can this vulnerability impact me? :
This vulnerability in the Linux kernel's ksmbd component can cause a connection to remain in a binding state incorrectly after a failed SMB2_SESSION_SETUP request with the SMB2_SESSION_REQ_FLAG_BINDING flag. As a result, subsequent session lookup calls fall back to the global sessions table, which may lead to unexpected behavior in SMB session management.