CVE-2026-31477
Received Received - Intake
Memory Leak and NULL Dereference in Linux ksmbd smb2_lock

Publication date: 2026-04-22

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix memory leaks and NULL deref in smb2_lock() smb2_lock() has three error handling issues after list_del() detaches smb_lock from lock_list at no_check_cl: 1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK path, goto out leaks smb_lock and its flock because the out: handler only iterates lock_list and rollback_list, neither of which contains the detached smb_lock. 2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out leaks smb_lock and flock for the same reason. The error code returned to the dispatcher is also stale. 3) In the rollback path, smb_flock_init() can return NULL on allocation failure. The result is dereferenced unconditionally, causing a kernel NULL pointer dereference. Add a NULL check to prevent the crash and clean up the bookkeeping; the VFS lock itself cannot be rolled back without the allocation and will be released at file or connection teardown. Fix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before the if(!rc) check in the UNLOCK branch so all exit paths share one free site, and by freeing smb_lock and flock before goto out in the non-UNLOCK branch. Propagate the correct error code in both cases. Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding a NULL check for locks_free_lock(rlock) in the shared cleanup. Found via call-graph analysis using sqry.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-27
Generated
2026-05-27
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-25
NVD
CVE-2026-31477
EUVD
EUVD-2026-24833
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.15
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.131 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.80 (exc)
linux linux_kernel From 5.15.1 (inc) to 6.1.168 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can impact you by causing memory leaks in the kernel, which may degrade system performance or stability over time. Additionally, the NULL pointer dereference can lead to a kernel crash, resulting in a denial of service (system crash or reboot). These impacts can affect the reliability and availability of systems running the vulnerable Linux kernel.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability in the Linux kernel's ksmbd smb2_lock() function involves memory leaks and a potential NULL pointer dereference. Immediate mitigation steps include updating the Linux kernel to a version where this issue is fixed, as the problem arises from error handling flaws in smb2_lock() that have been corrected by proper memory management and NULL checks.

Since the vulnerability is in the kernel code, applying the official patch or upgrading to a kernel version released after 2026-04-22 that includes the fix is the recommended action.


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's ksmbd component, specifically in the smb2_lock() function. It involves three error handling issues that occur after detaching smb_lock from the lock_list. These issues cause memory leaks and a potential NULL pointer dereference (kernel crash) due to improper handling of locks and error codes during file locking operations.

  • 1) Memory leaks occur if vfs_lock_file() returns an unexpected error in the non-UNLOCK path because the detached smb_lock and its flock are not freed.
  • 2) Memory leaks also occur if vfs_lock_file() returns -ENOENT in the UNLOCK path, with an incorrect error code returned.
  • 3) A NULL pointer dereference can happen in the rollback path if smb_flock_init() fails to allocate memory, leading to a kernel crash.

The fix involves properly freeing the locks in all exit paths, propagating correct error codes, and adding NULL checks to prevent crashes.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart