Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix memory leaks and NULL deref in smb2_lock()

smb2_lock() has three error handling issues after list_del() detaches
smb_lock from lock_list at no_check_cl:

1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK
path, goto out leaks smb_lock and its flock because the out:
handler only iterates lock_list and rollback_list, neither of
which contains the detached smb_lock.

2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out
leaks smb_lock and flock for the same reason. The error code
returned to the dispatcher is also stale.

3) In the rollback path, smb_flock_init() can return NULL on
allocation failure. The result is dereferenced unconditionally,
causing a kernel NULL pointer dereference. Add a NULL check to
prevent the crash and clean up the bookkeeping; the VFS lock
itself cannot be rolled back without the allocation and will be
released at file or connection teardown.

Fix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before
the if(!rc) check in the UNLOCK branch so all exit paths share one
free site, and by freeing smb_lock and flock before goto out in the
non-UNLOCK branch. Propagate the correct error code in both cases.
Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding
a NULL check for locks_free_lock(rlock) in the shared cleanup.

Found via call-graph analysis using sqry.
Published: 2026-04-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel Null Pointer Dereference (Denial of Service)
Action: Patch
AI Analysis

Impact

This flaw exists in the ksmbd SMB2 implementation of the Linux kernel. It arises from incomplete error handling inside smb2_lock(), where unexpected errors or allocation failures can leak memory or lead to an unconditional NULL dereference of a VFS lock. The resulting kernel crash destabilizes the entire system, providing a classic denial-of-service vector. The weakness is a classic null pointer dereference, mapped to CWE-476.

Affected Systems

The affected systems are any Linux kernels that still contain the unpatched ksmbd code. The CPE string lists only the generic Linux kernel, and no particular version range is specified, implying that any kernel revision older than the commit that introduces the patch is likely vulnerable. All distributions shipping that kernel will be exposed until they apply the updated source or a backport.

Risk and Exploitability

The CVSS score of 7.5 reflects a high‑impact vulnerability, yet the EPSS score of less than 1% indicates a very low probability of exploitation so far and the issue is not listed in the CISA KEV catalog. The vulnerability requires an attacker to drive the SMB lock path—most plausibly by sending crafted SMB lock/unlock requests—to trigger the fault. This inferred attack vector suggests that remote SMB clients could exploit the flaw, but no public exploit has been reported. Administrators should treat it as a significant risk to service availability and prioritize patching or temporary mitigation.

Generated by OpenCVE AI on April 28, 2026 at 08:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the ksmbd patch referenced in the commit list.
  • If an immediate kernel upgrade is not feasible, disable or limit incoming SMB traffic to reduce exposure.
  • After applying the patch, monitor kernel logs for SMB-related panics or lock failures to confirm remediation.

Generated by OpenCVE AI on April 28, 2026 at 08:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Mon, 27 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:5.15:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
References

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix memory leaks and NULL deref in smb2_lock() smb2_lock() has three error handling issues after list_del() detaches smb_lock from lock_list at no_check_cl: 1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK path, goto out leaks smb_lock and its flock because the out: handler only iterates lock_list and rollback_list, neither of which contains the detached smb_lock. 2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out leaks smb_lock and flock for the same reason. The error code returned to the dispatcher is also stale. 3) In the rollback path, smb_flock_init() can return NULL on allocation failure. The result is dereferenced unconditionally, causing a kernel NULL pointer dereference. Add a NULL check to prevent the crash and clean up the bookkeeping; the VFS lock itself cannot be rolled back without the allocation and will be released at file or connection teardown. Fix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before the if(!rc) check in the UNLOCK branch so all exit paths share one free site, and by freeing smb_lock and flock before goto out in the non-UNLOCK branch. Propagate the correct error code in both cases. Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding a NULL check for locks_free_lock(rlock) in the shared cleanup. Found via call-graph analysis using sqry.
Title ksmbd: fix memory leaks and NULL deref in smb2_lock()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:09:29.536Z

Reserved: 2026-03-09T15:48:24.098Z

Link: CVE-2026-31477

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:44.440

Modified: 2026-04-27T23:24:22.547

Link: CVE-2026-31477

cve-icon Redhat

Severity :

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31477 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:30:13Z

Weaknesses