CVE-2026-31693
Missing Initialization in Linux Kernel CIFS Replay Code
Publication date: 2026-04-30
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 6.13 (inc) to 6.18.16 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.6 (exc) |
| linux | linux_kernel | From 6.8 (inc) to 6.12.75 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-908 | The product uses or accesses a resource that has not been initialized. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's CIFS (Common Internet File System) implementation. It involves missing initializations of certain local variables in parts of the code where a request can be replayed if necessary. Specifically, some code sections had labels marking the start of replayable requests, but failed to reinitialize variables properly before replaying. This could lead to unexpected behavior or errors during request replay.
How can this vulnerability impact me? :
The impact of this vulnerability could include incorrect or unpredictable behavior when replaying CIFS requests in the Linux kernel. Missing variable initializations might cause the system to process replayed requests improperly, potentially leading to data corruption, crashes, or other stability issues in systems using CIFS.