5.5
CVE-2026-31610
- EPSS 0.14%
- Veröffentlicht 24.04.2026 14:42:31
- Zuletzt bearbeitet 29.04.2026 16:51:02
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc
The kernel ASN.1 BER decoder calls action callbacks incrementally as it
walks the input. When ksmbd_decode_negTokenInit() reaches the mechToken
[2] OCTET STRING element, ksmbd_neg_token_alloc() allocates
conn->mechToken immediately via kmemdup_nul(). If a later element in
the same blob is malformed, then the decoder will return nonzero after
the allocation is already live. This could happen if mechListMIC [3]
overrunse the enclosing SEQUENCE.
decode_negotiation_token() then sets conn->use_spnego = false because
both the negTokenInit and negTokenTarg grammars failed. The cleanup at
the bottom of smb2_sess_setup() is gated on use_spnego:
if (conn->use_spnego && conn->mechToken) {
kfree(conn->mechToken);
conn->mechToken = NULL;
}
so the kfree is skipped, causing the mechToken to never be freed.
This codepath is reachable pre-authentication, so untrusted clients can
cause slow memory leaks on a server without even being properly
authenticated.
Fix this up by not checking check for use_spnego, as it's not required,
so the memory will always be properly freed. At the same time, always
free the memory in ksmbd_conn_free() incase some other failure path
forgot to free it.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 5.15 < 6.6.136
Linux ≫ Linux Kernel Version >= 6.7 < 6.12.83
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.24
Linux ≫ Linux Kernel Version >= 6.19 < 6.19.14
Linux ≫ Linux Kernel Version >= 7.0 < 7.0.1
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.14% | 0.034 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.5 | 1.8 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
|
CWE-401 Missing Release of Memory after Effective Lifetime
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
https://git.kernel.org/stable/c/dd577cb55588ec3fbc66af3621280306601c4192
https://git.kernel.org/stable/c/dd53414e301beb915fe672dc4c4a51bafb917604
https://git.kernel.org/stable/c/269c800a7a7e363459291885b35f7bc72e231ed6
https://git.kernel.org/stable/c/6c8c44e6553b9f072f62d9875e567766eb293162
https://git.kernel.org/stable/c/ad0057fb91218914d6c98268718ceb9d59b388e1
https://git.kernel.org/stable/c/745a535461bbb90a56d9357573c9f97a5c12abe1