CVE-2026-31537 - Vulnerability Details

- smb: server: make use of smbdirect_socket.send_io.bcredits

Description

In the Linux kernel, the following vulnerability has been resolved:

smb: server: make use of smbdirect_socket.send_io.bcredits

It turns out that our code will corrupt the stream of
reassabled data transfer messages when we trigger an
immendiate (empty) send.

In order to fix this we'll have a single 'batch' credit per
connection. And code getting that credit is free to use
as much messages until remaining_length reaches 0, then
the batch credit it given back and the next logical send can
happen.

Published: 2026-04-24

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An improper handling of the SMBDIRECT socket credit counter in the Linux kernel can corrupt the stream of data transfer messages when an empty immediate send is performed. The bug manifests as a loss of data integrity in SMB traffic, potentially causing downtime or erratic behavior for clients communicating with the affected SMB server. The underlying weakness is a failure to correctly validate or manage buffer credits, which aligns with the CWE-821 classification of inadequate bounds checking.

Affected Systems

All Linux kernel builds that have not yet applied the fix for CVE-2026-31537 are susceptible. The exact kernel versions impacted are not listed in the CVE data; the remedy is referenced in the commit logs linked in the advisory. System administrators should review their kernel version and upgrade to a patched release where the smbdirect_socket.send_io.bcredits logic has been corrected.

Risk and Exploitability

The EPSS score for this vulnerability is reported as < 1%, indicating a very low probability of exploitation in real‑world scenarios, and it is not listed in the CISA KEV catalog. The CVSS score is 5.5, indicating moderate severity. The defect resides at the SMB protocol handling layer of the kernel, so an attacker would need network access to an exposed SMB service to trigger the corrupting send. Although the impact could be a denial of service or data corruption, the combination of the low EPSS, lack of a known exploit, and the requirement for a crafted SMB packet suggests a moderate but not immediate threat. Patching remains the recommended countermeasure.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 5ef18a2e66f2f33fdac64437bddfb9fe6389fdc7
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 79242e7b6bc63efec28b7c235bc320806afce6c0
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 34abd408c8ba24d7c97bd02ba874d8c714f49db1

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`6.18.11`	unaffected	≤ 6.18.*
`6.19.1`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0626e6641f6b467447c81dd7678a69c66f7746cf,5ef18a2e66f2f33fdac64437bddfb9fe6389fdc7)`	affected	code_commit	—
`[0626e6641f6b467447c81dd7678a69c66f7746cf,79242e7b6bc63efec28b7c235bc320806afce6c0)`	affected	code_commit	—
`[0626e6641f6b467447c81dd7678a69c66f7746cf,34abd408c8ba24d7c97bd02ba874d8c714f49db1)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.15`	affected	generic	—
`[0,5.15)`	unaffected	generic	—
`[6.18.11,6.19.0)`	unaffected	semver	—
`[6.19.1,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the kernel to a version that includes the smbdirect_socket.send_io.bcredits fix (see the commit references in the advisory).
If an immediate kernel upgrade cannot be performed, temporarily disable SMB services or block SMB traffic at the perimeter firewall to prevent exploitation.
After applying the fix or workaround, monitor SMB connections for anomalous activity and ensure related SMB code paths are also free of remaining buffer‑management bugs.

Generated by OpenCVE AI on April 28, 2026 at 23:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/34abd408c8ba24d7c97bd02ba874d8c714f49db1
https://git.kernel.org/stable/c/5ef18a2e66f2f33fdac64437bddfb9fe6389fdc7
https://git.kernel.org/stable/c/79242e7b6bc63efec28b7c235bc320806afce6c0
https://lore.kernel.org/linux-cve-announce/2026042434-CVE-2026-31537-6202@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31537
https://www.cve.org/CVERecord?id=CVE-2026-31537

History

Tue, 28 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-821
References		https://lore.kernel.org/linux-cve-announce/2026042434-CVE-2026-31537-6202@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31537 https://www.cve.org/CVERecord?id=CVE-2026-31537

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: smb: server: make use of smbdirect_socket.send_io.bcredits It turns out that our code will corrupt the stream of reassabled data transfer messages when we trigger an immendiate (empty) send. In order to fix this we'll have a single 'batch' credit per connection. And code getting that credit is free to use as much messages until remaining_length reaches 0, then the batch credit it given back and the next logical send can happen.
Title		smb: server: make use of smbdirect_socket.send_io.bcredits
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/34abd408c8ba24d7c97bd02ba874d8c714f49db1 https://git.kernel.org/stable/c/5ef18a2e66f2f33fdac64437bddfb9fe6389fdc7 https://git.kernel.org/stable/c/79242e7b6bc63efec28b7c235bc320806afce6c0

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:30:24.907Z

Updated: 2026-05-11T22:10:41.629Z

Reserved: 2026-03-09T15:48:24.113Z

Link: CVE-2026-31537

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:27.633

Modified: 2026-04-28T19:09:04.870

Link: CVE-2026-31537

Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31537 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-29T00:00:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object