Description
In the Linux kernel, the following vulnerability has been resolved:

smb: client: make use of smbdirect_socket.recv_io.credits.available

The logic off managing recv credits by counting posted recv_io and
granted credits is racy.

That's because the peer might already consumed a credit,
but between receiving the incoming recv at the hardware
and processing the completion in the 'recv_done' functions
we likely have a window where we grant credits, which
don't really exist.

So we better have a decicated counter for the
available credits, which will be incremented
when we posted new recv buffers and drained when
we grant the credits to the peer.
Published: 2026-04-24
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Service disruption
Action: Apply patch
AI Analysis

Impact

The vulnerability exists in the Linux kernel’s SMB client where the logic for handling receive credits uses a counter that is subject to a race between credit granting and credit consumption by the peer. The race condition arises because the code may grant credits that have already been consumed, creating a window where the server can be asked to provide more data than it authorized. Based on the description, it is inferred that this improper credit accounting could allow an attacker to cause the client to misbehave, potentially leading to a denial of service or other operational disruption. The weakness is identified as CWE-367, a race condition.

Affected Systems

Affected systems include any machine running a Linux kernel that incorporates the SMB client code before the kernel commit that introduced a dedicated counter for available credits. No specific kernel version numbers are listed, so essentially every Linux installation that has not yet applied the fix is potentially impacted.

Risk and Exploitability

The CVSS score of 4.7 indicates medium severity. The EPSS score is under 1%, showing a very low probability of exploitation at the time of this analysis. The vulnerability is not listed in CISA KEV. Based on the nature of this race, it is inferred that an attacker would need to send carefully timed SMB traffic to trigger the race window; practical exploitation would therefore require precise coordination, making attacks difficult but not theoretically impossible. Overall the risk remains significant due to potential service disruption, but the likelihood of exploitation is low.

Generated by OpenCVE AI on April 28, 2026 at 23:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the fix for the race condition (CWE-367) in SMB client credit management.
  • If immediate kernel upgrade is not possible, disable SMB client functionality on the affected host or restrict SMB traffic using firewall rules to reduce exposure to the race window.
  • Enable verbose logging for SMB client operations so any anomalous credit grant behavior associated with the race condition can be detected early, allowing operators to respond before a full denial of service occurs.

Generated by OpenCVE AI on April 28, 2026 at 23:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb: client: make use of smbdirect_socket.recv_io.credits.available The logic off managing recv credits by counting posted recv_io and granted credits is racy. That's because the peer might already consumed a credit, but between receiving the incoming recv at the hardware and processing the completion in the 'recv_done' functions we likely have a window where we grant credits, which don't really exist. So we better have a decicated counter for the available credits, which will be incremented when we posted new recv buffers and drained when we grant the credits to the peer.
Title smb: client: make use of smbdirect_socket.recv_io.credits.available
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:10:39.307Z

Reserved: 2026-03-09T15:48:24.113Z

Link: CVE-2026-31535

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:27.427

Modified: 2026-04-28T19:14:33.727

Link: CVE-2026-31535

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31535 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:00:13Z

Weaknesses