CVE-2026-31444
Received Received - Intake
Use-After-Free and NULL Dereference in Linux ksmbd Oplock Handling

Publication date: 2026-04-22

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free and NULL deref in smb_grant_oplock() smb_grant_oplock() has two issues in the oplock publication sequence: 1) opinfo is linked into ci->m_op_list (via opinfo_add) before add_lease_global_list() is called. If add_lease_global_list() fails (kmalloc returns NULL), the error path frees the opinfo via __free_opinfo() while it is still linked in ci->m_op_list. Concurrent m_op_list readers (opinfo_get_list, or direct iteration in smb_break_all_levII_oplock) dereference the freed node. 2) opinfo->o_fp is assigned after add_lease_global_list() publishes the opinfo on the global lease list. A concurrent find_same_lease_key() can walk the lease list and dereference opinfo->o_fp->f_ci while o_fp is still NULL. Fix by restructuring the publication sequence to eliminate post-publish failure: - Set opinfo->o_fp before any list publication (fixes NULL deref). - Preallocate lease_table via alloc_lease_table() before opinfo_add() so add_lease_global_list() becomes infallible after publication. - Keep the original m_op_list publication order (opinfo_add before lease list) so concurrent opens via same_client_has_lease() and opinfo_get_list() still see the in-flight grant. - Use opinfo_put() instead of __free_opinfo() on err_out so that the RCU-deferred free path is used. This also requires splitting add_lease_global_list() to take a preallocated lease_table and changing its return type from int to void, since it can no longer fail.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31444
EUVD
EUVD-2026-24776
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux_kernel linux_kernel *
linux_kernel ksmbd *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's ksmbd component, specifically in the smb_grant_oplock() function. It involves two main issues during the oplock publication sequence:

  • First, an object called opinfo is linked into a list (ci->m_op_list) before a function add_lease_global_list() is called. If add_lease_global_list() fails (due to memory allocation failure), the error handling frees opinfo while it is still linked in the list. This leads to use-after-free errors when other parts of the code concurrently access the list.
  • Second, the opinfo->o_fp pointer is assigned after opinfo is published on a global lease list. Concurrent access can cause a NULL pointer dereference because opinfo->o_fp may still be NULL when accessed.

The fix restructures the sequence to set opinfo->o_fp before publishing, preallocates necessary structures to avoid failure after publication, and changes the freeing method to use a deferred free path to prevent use-after-free issues.


How can this vulnerability impact me? :

This vulnerability can lead to use-after-free and NULL pointer dereference errors in the Linux kernel's ksmbd service. Such issues can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service by exploiting these memory errors.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version where the ksmbd smb_grant_oplock() function has been fixed as described.

The fix involves restructuring the oplock publication sequence to prevent use-after-free and NULL dereference issues, including setting opinfo->o_fp before list publication, preallocating lease_table to make add_lease_global_list() infallible, and using opinfo_put() for deferred freeing.

Therefore, applying the official patch or upgrading to a kernel version that includes this fix is the recommended immediate step.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart