CVE-2026-31539 - Vulnerability Details

- smb: smbdirect: introduce smbdirect_socket.recv_io.credits.available

Description

In the Linux kernel, the following vulnerability has been resolved:

smb: smbdirect: introduce smbdirect_socket.recv_io.credits.available

The logic off managing recv credits by counting posted recv_io and
granted credits is racy.

That's because the peer might already consumed a credit,
but between receiving the incoming recv at the hardware
and processing the completion in the 'recv_done' functions
we likely have a window where we grant credits, which
don't really exist.

So we better have a decicated counter for the
available credits, which will be incremented
when we posted new recv buffers and drained when
we grant the credits to the peer.

Published: 2026-04-24

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is a race condition in the Linux kernel’s SMB Direct implementation, where the module mishandles the tracking of receive credits. It may grant credits that have already been consumed by a peer, potentially leading to resource exhaustion or incorrect data handling. The weakness is classified as a race condition (CWE‑821).

Affected Systems

All Linux kernels that ship SMB Direct support, across all distributions, are potentially affected. No specific version range is listed, so any kernel lacking the fix commits remains vulnerable.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is considered high severity, however the EPSS score of less than 1 % indicates a low probability of exploitation. It is not currently listed in the CISA KEV catalog. An attacker would need to interact with the SMB Direct protocol on a target system, likely from the network, to exploit the race window and stress the connection or cause a denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5fb9b459b3686e366640edd4e62805ef7b4de927`	affected	< e811e60e1cc79923c4388146eb1fa26a7482731e
`5fb9b459b3686e366640edd4e62805ef7b4de927`	affected	< f99996870222b598914a1f49d7375dc23752c237
`5fb9b459b3686e366640edd4e62805ef7b4de927`	affected	< 6e3c5052f9686192e178806e017b7377155f4bab

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.18.11`	unaffected	≤ 6.18.*
`6.19.1`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5fb9b459b3686e366640edd4e62805ef7b4de927,e811e60e1cc79923c4388146eb1fa26a7482731e)`	affected	code_commit	—
`[5fb9b459b3686e366640edd4e62805ef7b4de927,f99996870222b598914a1f49d7375dc23752c237)`	affected	code_commit	—
`[5fb9b459b3686e366640edd4e62805ef7b4de927,6e3c5052f9686192e178806e017b7377155f4bab)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.18`	affected	generic	—
`[0,6.18)`	unaffected	generic	—
`[6.18.11,6.19.0)`	unaffected	semver	—
`[6.19.1,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to a Linux kernel release that includes the SMB Direct receive‑credit fix (e.g., apply the patch containing the commit that introduces smbdirect_socket.recv_io.credits.available counter).
If an immediate kernel upgrade is not possible, recompile the kernel with SMB Direct support disabled (CONFIG_SMB_DIRECT=y disabled) or set any available kernel boot parameters that limit SMB Direct operation until the patch is applied.
Monitor SMB traffic for abnormal credit or error patterns, and apply network segmentation or firewall rules to restrict SMB Direct traffic to trusted hosts as an interim protective measure.

Generated by OpenCVE AI on April 29, 2026 at 01:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00054.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/6e3c5052f9686192e178806e017b7377155f4bab
https://git.kernel.org/stable/c/e811e60e1cc79923c4388146eb1fa26a7482731e
https://git.kernel.org/stable/c/f99996870222b598914a1f49d7375dc23752c237
https://lore.kernel.org/linux-cve-announce/2026042434-CVE-2026-31539-fe1a@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31539
https://www.cve.org/CVERecord?id=CVE-2026-31539

History

Tue, 28 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo

Mon, 27 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-821
References		https://lore.kernel.org/linux-cve-announce/2026042434-CVE-2026-31539-fe1a@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31539 https://www.cve.org/CVERecord?id=CVE-2026-31539
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: smb: smbdirect: introduce smbdirect_socket.recv_io.credits.available The logic off managing recv credits by counting posted recv_io and granted credits is racy. That's because the peer might already consumed a credit, but between receiving the incoming recv at the hardware and processing the completion in the 'recv_done' functions we likely have a window where we grant credits, which don't really exist. So we better have a decicated counter for the available credits, which will be incremented when we posted new recv buffers and drained when we grant the credits to the peer.
Title		smb: smbdirect: introduce smbdirect_socket.recv_io.credits.available
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/6e3c5052f9686192e178806e017b7377155f4bab https://git.kernel.org/stable/c/e811e60e1cc79923c4388146eb1fa26a7482731e https://git.kernel.org/stable/c/f99996870222b598914a1f49d7375dc23752c237

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:30:26.326Z

Updated: 2026-05-11T22:10:44.030Z

Reserved: 2026-03-09T15:48:24.114Z

Link: CVE-2026-31539

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:27.843

Modified: 2026-04-28T18:54:11.557

Link: CVE-2026-31539

Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31539 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-29T01:45:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object