CVE-2026-31718

EPSS 0.06%
Veröffentlicht 01.05.2026 14:16:21
Zuletzt bearbeitet 06.05.2026 21:07:36
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger

When a durable file handle survives session disconnect (TCP close without
SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the
handle for later reconnection. However, it did not clean up the byte-range
locks on fp->lock_list.

Later, when the durable scavenger thread times out and calls
__ksmbd_close_fd(NULL, fp), the lock cleanup loop did:

    spin_lock(&fp->conn->llist_lock);

This caused a slab use-after-free because fp->conn was NULL and the
original connection object had already been freed by
ksmbd_tcp_disconnect().

The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were
left dangling on the freed conn->lock_list while fp->conn was nulled out.

To fix this issue properly, we need to handle the lifetime of
smb_lock->clist across three paths:
 - Safely skip clist deletion when list is empty and fp->conn is NULL.
 - Remove the lock from the old connection's lock_list in
   session_fd_check()
 - Re-add the lock to the new connection's lock_list in
   ksmbd_reopen_durable_fd().

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

NVD 5 VulnDex Vulnerability Enrichment 12

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 6.6.32 < 6.7

Linux ≫ Linux Kernel Version >= 6.9 < 6.12.84

Linux ≫ Linux Kernel Version >= 6.13 < 6.18.25

Linux ≫ Linux Kernel Version >= 6.19 < 7.0.2

Linux ≫ Linux Kernel Version7.1 Updaterc1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.178

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/235e32320a470fcd3998fb3774f2290a0eb302a1

Patch

https://git.kernel.org/stable/c/3d6682726c2d3a46d31dae88b8166786b09b03ad

Patch

https://git.kernel.org/stable/c/b34fc42cfe922e551f7a27d3ac3bb016e41d7dd9

Patch

https://git.kernel.org/stable/c/e33c65f011980b4ad4abfd93585ec2079856368f

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-31718

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-31718

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-31718

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-31718