CVE-2026-31538 - Vulnerability Details

- smb: server: make use of smbdirect_socket.recv_io.credits.available

Description

In the Linux kernel, the following vulnerability has been resolved:

smb: server: make use of smbdirect_socket.recv_io.credits.available

The logic off managing recv credits by counting posted recv_io and
granted credits is racy.

That's because the peer might already consumed a credit,
but between receiving the incoming recv at the hardware
and processing the completion in the 'recv_done' functions
we likely have a window where we grant credits, which
don't really exist.

So we better have a decicated counter for the
available credits, which will be incremented
when we posted new recv buffers and drained when
we grant the credits to the peer.

This fixes regression Namjae reported with
the 6.18 release.

Published: 2026-04-24

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from a race condition in the Linux kernel’s SMB server when managing receive credits. The counter that tracks posted receive buffers and granted credits is not isolated, so a peer could consume a credit while the kernel is still processing the previous receive. During the brief window where the kernel grants additional credits before the initial grant has been fully accounted for, the available credit count can temporarily exceed the number of actually posted buffers. This inconsistency may lead the SMB server to believe it has more credits than it actually does, which can result in the service using more resources than intended and potentially causing a denial of service.

Affected Systems

The issue is present in the SMB server code of the Linux kernel itself; it is not confined to a specific distribution. All kernel releases that include the current SMB implementation before the patch – including those preceding version 6.18 – are affected unless the system’s kernel has been upgraded to a version that incorporates the indicated fix. The vulnerability affects all architectures supported by the Linux kernel’s SMB stack.

Risk and Exploitability

The CVSS score of 7.5 places this flaw in the high severity range. An EPSS score of below 1 % indicates that the probability of real‑world exploitation is currently low. The flaw can be triggered via normal SMB traffic from any network host that can reach the SMB server provided by the kernel. The likely attack vector is a remote SMB request, inferred from the description that the vulnerability is activated by SMB traffic. As it is not listed in the CISA KEV catalog, no large‑scale active exploitation is known. However, the potential for denial of service warrants prompt attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`89b021a72663c4d96d8a8b85272bb42d991a1c6f`	affected	< 66c082e3d4651e8629a393a9e182b01eb50fb0a3
`89b021a72663c4d96d8a8b85272bb42d991a1c6f`	affected	< 809cbd31aa4f87a1b889532244c9cf30eb022385
`89b021a72663c4d96d8a8b85272bb42d991a1c6f`	affected	< 26ad87a2cfb8c1384620d1693a166ed87303046e

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.18.11`	unaffected	≤ 6.18.*
`6.19.1`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[89b021a72663c4d96d8a8b85272bb42d991a1c6f,66c082e3d4651e8629a393a9e182b01eb50fb0a3)`	affected	code_commit	—
`[89b021a72663c4d96d8a8b85272bb42d991a1c6f,809cbd31aa4f87a1b889532244c9cf30eb022385)`	affected	code_commit	—
`[89b021a72663c4d96d8a8b85272bb42d991a1c6f,26ad87a2cfb8c1384620d1693a166ed87303046e)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.18`	affected	generic	—
`[0,6.18)`	unaffected	generic	—
`[6.18.11,6.19.0)`	unaffected	semver	—
`[6.19.1,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the kernel to a release that includes the SMB receive‑credit race condition fix
Disable SMB1 and other legacy SMB protocols to reduce exposure
Configure firewall or network segmentation to limit SMB traffic to trusted hosts or internal network

Generated by OpenCVE AI on April 28, 2026 at 23:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00054.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/26ad87a2cfb8c1384620d1693a166ed87303046e
https://git.kernel.org/stable/c/66c082e3d4651e8629a393a9e182b01eb50fb0a3
https://git.kernel.org/stable/c/809cbd31aa4f87a1b889532244c9cf30eb022385
https://lore.kernel.org/linux-cve-announce/2026042434-CVE-2026-31538-a6f7@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31538
https://www.cve.org/CVERecord?id=CVE-2026-31538

History

Tue, 28 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-Other

Tue, 28 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-821
References		https://lore.kernel.org/linux-cve-announce/2026042434-CVE-2026-31538-a6f7@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31538 https://www.cve.org/CVERecord?id=CVE-2026-31538

Mon, 27 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: smb: server: make use of smbdirect_socket.recv_io.credits.available The logic off managing recv credits by counting posted recv_io and granted credits is racy. That's because the peer might already consumed a credit, but between receiving the incoming recv at the hardware and processing the completion in the 'recv_done' functions we likely have a window where we grant credits, which don't really exist. So we better have a decicated counter for the available credits, which will be incremented when we posted new recv buffers and drained when we grant the credits to the peer. This fixes regression Namjae reported with the 6.18 release.
Title		smb: server: make use of smbdirect_socket.recv_io.credits.available
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/26ad87a2cfb8c1384620d1693a166ed87303046e https://git.kernel.org/stable/c/66c082e3d4651e8629a393a9e182b01eb50fb0a3 https://git.kernel.org/stable/c/809cbd31aa4f87a1b889532244c9cf30eb022385

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:30:25.598Z

Updated: 2026-05-11T22:10:42.884Z

Reserved: 2026-03-09T15:48:24.113Z

Link: CVE-2026-31538

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:27.740

Modified: 2026-04-28T18:59:51.320

Link: CVE-2026-31538

Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31538 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-29T00:00:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object