5.5

CVE-2026-31610

ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc

The kernel ASN.1 BER decoder calls action callbacks incrementally as it
walks the input.  When ksmbd_decode_negTokenInit() reaches the mechToken
[2] OCTET STRING element, ksmbd_neg_token_alloc() allocates
conn->mechToken immediately via kmemdup_nul().  If a later element in
the same blob is malformed, then the decoder will return nonzero after
the allocation is already live.  This could happen if mechListMIC [3]
overrunse the enclosing SEQUENCE.

decode_negotiation_token() then sets conn->use_spnego = false because
both the negTokenInit and negTokenTarg grammars failed.  The cleanup at
the bottom of smb2_sess_setup() is gated on use_spnego:

	if (conn->use_spnego && conn->mechToken) {
		kfree(conn->mechToken);
		conn->mechToken = NULL;
	}

so the kfree is skipped, causing the mechToken to never be freed.

This codepath is reachable pre-authentication, so untrusted clients can
cause slow memory leaks on a server without even being properly
authenticated.

Fix this up by not checking check for use_spnego, as it's not required,
so the memory will always be properly freed.  At the same time, always
free the memory in ksmbd_conn_free() incase some other failure path
forgot to free it.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 5.15 < 6.6.136
LinuxLinux Kernel Version >= 6.7 < 6.12.83
LinuxLinux Kernel Version >= 6.13 < 6.18.24
LinuxLinux Kernel Version >= 6.19 < 6.19.14
LinuxLinux Kernel Version >= 7.0 < 7.0.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.14% 0.034
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-401 Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

https://git.kernel.org/stable/c/dd577cb55588ec3fbc66af3621280306601c4192
Patch
https://git.kernel.org/stable/c/dd53414e301beb915fe672dc4c4a51bafb917604
Patch
https://git.kernel.org/stable/c/269c800a7a7e363459291885b35f7bc72e231ed6
Patch
https://git.kernel.org/stable/c/6c8c44e6553b9f072f62d9875e567766eb293162
Patch
https://git.kernel.org/stable/c/ad0057fb91218914d6c98268718ceb9d59b388e1
Patch
https://git.kernel.org/stable/c/745a535461bbb90a56d9357573c9f97a5c12abe1
Patch