CVE-2026-31536 - Vulnerability Details

- smb: server: let send_done handle a completion without IB_SEND_SIGNALED

Description

In the Linux kernel, the following vulnerability has been resolved:

smb: server: let send_done handle a completion without IB_SEND_SIGNALED

With smbdirect_send_batch processing we likely have requests without
IB_SEND_SIGNALED, which will be destroyed in the final request
that has IB_SEND_SIGNALED set.

If the connection is broken all requests are signaled
even without explicit IB_SEND_SIGNALED.

Published: 2026-04-24

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel SMB server has a flaw where the function that finalizes data transmission, send_done, can be called for a request that lacks the IB_SEND_SIGNALED flag. In such a case the code mistakenly assumes the request will be cleaned up during the final flagged request. If an unflagged request is processed before a flagged one, the missing cleanup can corrupt kernel memory or crash the system, resulting in a denial of service. This bug is an instance of CWE-166, an improper use of a pointer or inadequate handling of a control flag.

Affected Systems

The vulnerability applies to all Linux kernel releases that include the SMB server component and have not incorporated the recent commit that fixes the send_done handling logic. No specific version ranges are enumerated in the advisory, so any kernel older than the patched state is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 9.8 this flaw is classified as critical, yet the EPSS score of less than 1% suggests current exploitation activity is very low. The issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers could exploit the vulnerability by sending specially crafted SMB requests that trigger a send_done call without the IB_SEND_SIGNALED flag. The likely attack vector is through the SMB protocol, possibly by an attacker who can reach the SMB service on the target machine.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 24082642654f3e5149913946e89c00a297a8868f
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< e38b415c024bc3b6321bf8650dbf3f4aab8e74b3
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 9da82dc73cb03e85d716a2609364572367a5ff47

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`6.18.11`	unaffected	≤ 6.18.*
`6.19.1`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0626e6641f6b467447c81dd7678a69c66f7746cf,24082642654f3e5149913946e89c00a297a8868f)`	affected	code_commit	—
`[0626e6641f6b467447c81dd7678a69c66f7746cf,e38b415c024bc3b6321bf8650dbf3f4aab8e74b3)`	affected	code_commit	—
`[0626e6641f6b467447c81dd7678a69c66f7746cf,9da82dc73cb03e85d716a2609364572367a5ff47)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.15`	affected	generic	—
`[0,5.15)`	unaffected	generic	—
`[6.18.11,6.19.0)`	unaffected	semver	—
`[6.19.1,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch from the commit that fixes the send_done handling flaw and reboot the system.
Restart SMB services (e.g., smbd, nmbd) after the kernel update to ensure the fix is in effect.
If SMB is not required, disable the SMB server or block SMB traffic on the network as a temporary mitigation.

Generated by OpenCVE AI on April 28, 2026 at 23:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00053.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/24082642654f3e5149913946e89c00a297a8868f
https://git.kernel.org/stable/c/9da82dc73cb03e85d716a2609364572367a5ff47
https://git.kernel.org/stable/c/e38b415c024bc3b6321bf8650dbf3f4aab8e74b3
https://lore.kernel.org/linux-cve-announce/2026042433-CVE-2026-31536-d7cc@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31536
https://www.cve.org/CVERecord?id=CVE-2026-31536

History

Tue, 28 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo

Mon, 27 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-166
References		https://lore.kernel.org/linux-cve-announce/2026042433-CVE-2026-31536-d7cc@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31536 https://www.cve.org/CVERecord?id=CVE-2026-31536

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: smb: server: let send_done handle a completion without IB_SEND_SIGNALED With smbdirect_send_batch processing we likely have requests without IB_SEND_SIGNALED, which will be destroyed in the final request that has IB_SEND_SIGNALED set. If the connection is broken all requests are signaled even without explicit IB_SEND_SIGNALED.
Title		smb: server: let send_done handle a completion without IB_SEND_SIGNALED
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/24082642654f3e5149913946e89c00a297a8868f https://git.kernel.org/stable/c/9da82dc73cb03e85d716a2609364572367a5ff47 https://git.kernel.org/stable/c/e38b415c024bc3b6321bf8650dbf3f4aab8e74b3

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:30:24.224Z

Updated: 2026-05-11T22:10:40.525Z

Reserved: 2026-03-09T15:48:24.113Z

Link: CVE-2026-31536

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:27.530

Modified: 2026-04-28T19:10:25.500

Link: CVE-2026-31536

Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31536 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-29T00:00:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object