CVE-2026-31717
Received Received - Intake
ksmbd Durable Handle Owner Validation Flaw

Publication date: 2026-05-01

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate owner of durable handle on reconnect Currently, ksmbd does not verify if the user attempting to reconnect to a durable handle is the same user who originally opened the file. This allows any authenticated user to hijack an orphaned durable handle by predicting or brute-forcing the persistent ID. According to MS-SMB2, the server MUST verify that the SecurityContext of the reconnect request matches the SecurityContext associated with the existing open. Add a durable_owner structure to ksmbd_file to store the original opener's UID, GID, and account name. and catpure the owner information when a file handle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner() to validate the identity of the requester during SMB2_CREATE (DHnC).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31717
EUVD
EUVD-2026-26526
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.6.32 (inc) to 6.7 (exc)
linux linux_kernel 7.1
linux linux_kernel From 6.19 (inc) to 7.0.2 (exc)
linux linux_kernel From 6.9 (inc) to 6.18.25 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ksmbd component, where it fails to verify that the user attempting to reconnect to a durable handle is the same user who originally opened the file.

Because ksmbd does not check the owner of the durable handle on reconnect, any authenticated user can hijack an orphaned durable handle by predicting or brute-forcing its persistent ID.

The fix involves adding a durable_owner structure to store the original opener's user ID, group ID, and account name, and validating the identity of the requester during the reconnect process to ensure it matches the original owner.

Impact Analysis

This vulnerability can allow an authenticated user to hijack file handles that they do not own by reconnecting to orphaned durable handles.

Such unauthorized access could lead to data exposure, unauthorized file operations, or potential privilege escalation depending on the permissions associated with the hijacked handle.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31717. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart