CVE-2026-31718
Received Received - Intake
Use-After-Free in ksmbd Linux Kernel SMB Server

Publication date: 2026-05-01

Last updated on: 2026-05-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger When a durable file handle survives session disconnect (TCP close without SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the handle for later reconnection. However, it did not clean up the byte-range locks on fp->lock_list. Later, when the durable scavenger thread times out and calls __ksmbd_close_fd(NULL, fp), the lock cleanup loop did: spin_lock(&fp->conn->llist_lock); This caused a slab use-after-free because fp->conn was NULL and the original connection object had already been freed by ksmbd_tcp_disconnect(). The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were left dangling on the freed conn->lock_list while fp->conn was nulled out. To fix this issue properly, we need to handle the lifetime of smb_lock->clist across three paths: - Safely skip clist deletion when list is empty and fp->conn is NULL. - Remove the lock from the old connection's lock_list in session_fd_check() - Re-add the lock to the new connection's lock_list in ksmbd_reopen_durable_fd().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-03
Generated
2026-05-06
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31718
EUVD
EUVD-2026-26527
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel ksmbd *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability in the Linux kernel's ksmbd component can cause a use-after-free error when handling durable file handles after a session disconnect. This can lead to memory corruption or crashes in the kernel, potentially causing system instability or denial of service.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in the Linux kernel by properly handling the lifetime of smb_lock->clist across three paths: safely skipping clist deletion when the list is empty and fp->conn is NULL, removing the lock from the old connection's lock_list in session_fd_check(), and re-adding the lock to the new connection's lock_list in ksmbd_reopen_durable_fd().

Therefore, the immediate mitigation step is to update your Linux kernel to a version that includes this fix.


Can you explain this vulnerability to me?

This vulnerability is a use-after-free issue in the Linux kernel's ksmbd component, specifically in the __ksmbd_close_fd() function related to durable file handles.

When a durable file handle survives a session disconnect (such as a TCP close without SMB2_LOGOFF), the system sets a connection pointer to NULL to preserve the handle for later reconnection. However, it fails to clean up byte-range locks associated with that handle.

Later, a scavenger thread attempts to clean up these locks but tries to access a connection object that has already been freed, causing a use-after-free error. This happens because the cleanup code tries to lock a spinlock on a NULL pointer, leading to accessing freed memory.

The root cause is asymmetric cleanup where lock entries remain dangling on a freed connection's lock list while the connection pointer is set to NULL. The fix involves properly managing the lifetime of these lock entries across different code paths to avoid accessing freed memory.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart