CVE-2026-31409 - Vulnerability Details

- ksmbd: unset conn->binding on failed binding request

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: unset conn->binding on failed binding request

When a multichannel SMB2_SESSION_SETUP request with
SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true
but never clears it on the error path. This leaves the connection in
a binding state where all subsequent ksmbd_session_lookup_all() calls
fall back to the global sessions table. This fix it by clearing
conn->binding = false in the error path.

Published: 2026-04-06

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel’s SMB server component, an error path for SMB2_SESSION_SETUP requests that include the binding flag fails to clear the per‑connection binding indicator. The leftover flag causes subsequent session‑lookup functions to fall back to a global table rather than the per‑connection context, which can result in incorrect session matching and potential resource exhaustion. This flaw reflects a failure to handle an error condition (CWE‑390) and could be leveraged by an attacker to disrupt SMB services or consume kernel resources. The impact is confined to systems running a kernel that has not yet incorporated the patch that resets the binding flag.

Affected Systems

All Linux kernel installations that include the ksmbd SMB server are affected; no specific kernel releases are enumerated, indicating that any unfixed kernel could be vulnerable. This includes standard distributions whose kernels expose SMB port 445.

Risk and Exploitability

The CVSS score of 8.8 classifies the issue as high severity, yet the EPSS score of less than 1 % and the absence from the CISA KEV catalog suggest that exploitation is currently unlikely. The likely attack vector involves sending a malformed SMB2 request to a publicly reachable ksmbd instance; success would force the server into a repeated misclassification of session lookups, potentially leading to denial of service. No publicly demonstrated exploit is known, but the vulnerability remains relevant if the service is exposed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`f5a544e3bab78142207e0242d22442db85ba1eff`	affected	< d073870dab8f6dadced81d13d273ff0b21cb7f4e
`f5a544e3bab78142207e0242d22442db85ba1eff`	affected	< 6ebef4a220a1ebe345de899ebb9ae394206fe921
`f5a544e3bab78142207e0242d22442db85ba1eff`	affected	< 89afe5e2dbea6e9d8e5f11324149d06fa3a4efca
`f5a544e3bab78142207e0242d22442db85ba1eff`	affected	< 9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772
`f5a544e3bab78142207e0242d22442db85ba1eff`	affected	< 6260fc85ed1298a71d24a75d01f8b2e56d489a60
`f5a544e3bab78142207e0242d22442db85ba1eff`	affected	< 282343cf8a4a5a3603b1cb0e17a7083e4a593b03

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d073870dab8f6dadced81d13d273ff0b21cb7f4e)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6ebef4a220a1ebe345de899ebb9ae394206fe921)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,89afe5e2dbea6e9d8e5f11324149d06fa3a4efca)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6260fc85ed1298a71d24a75d01f8b2e56d489a60)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,282343cf8a4a5a3603b1cb0e17a7083e4a593b03)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0-rc5,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the ksmbd binding‑flag reset patch
If a kernel upgrade cannot be applied immediately, stop or disable the ksmbd service to remove the vulnerable functionality
Configure firewall rules to block inbound SMB traffic (TCP 445) from untrusted networks until the patch is applied

Generated by OpenCVE AI on April 28, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/282343cf8a4a5a3603b1cb0e17a7083e4a593b03
https://git.kernel.org/stable/c/6260fc85ed1298a71d24a75d01f8b2e56d489a60
https://git.kernel.org/stable/c/6ebef4a220a1ebe345de899ebb9ae394206fe921
https://git.kernel.org/stable/c/89afe5e2dbea6e9d8e5f11324149d06fa3a4efca
https://git.kernel.org/stable/c/9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772
https://git.kernel.org/stable/c/d073870dab8f6dadced81d13d273ff0b21cb7f4e
https://lore.kernel.org/linux-cve-announce/2026040629-CVE-2026-31409-d22c@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31409
https://www.cve.org/CVERecord?id=CVE-2026-31409

History

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-390
References		https://lore.kernel.org/linux-cve-announce/2026040629-CVE-2026-31409-d22c@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31409 https://www.cve.org/CVERecord?id=CVE-2026-31409

Mon, 06 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset conn->binding on failed binding request When a multichannel SMB2_SESSION_SETUP request with SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true but never clears it on the error path. This leaves the connection in a binding state where all subsequent ksmbd_session_lookup_all() calls fall back to the global sessions table. This fix it by clearing conn->binding = false in the error path.
Title		ksmbd: unset conn->binding on failed binding request
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/282343cf8a4a5a3603b1cb0e17a7083e4a593b03 https://git.kernel.org/stable/c/6260fc85ed1298a71d24a75d01f8b2e56d489a60 https://git.kernel.org/stable/c/6ebef4a220a1ebe345de899ebb9ae394206fe921 https://git.kernel.org/stable/c/89afe5e2dbea6e9d8e5f11324149d06fa3a4efca https://git.kernel.org/stable/c/9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772 https://git.kernel.org/stable/c/d073870dab8f6dadced81d13d273ff0b21cb7f4e

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-06T07:38:21.223Z

Updated: 2026-04-27T14:02:56.938Z

Reserved: 2026-03-09T15:48:24.087Z

Link: CVE-2026-31409

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-06T08:16:38.943

Modified: 2026-04-27T14:16:37.107

Link: CVE-2026-31409

Redhat

Severity :

Publid Date: 2026-04-06T00:00:00Z

Links: CVE-2026-31409 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T21:45:26Z

Weaknesses

CWE-390

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object