Description
In the Linux kernel, the following vulnerability has been resolved:

smb: server: fix active_num_conn leak on transport allocation failure

Commit 77ffbcac4e56 ("smb: server: fix leak of active_num_conn in
ksmbd_tcp_new_connection()") addressed the kthread_run() failure
path. The earlier alloc_transport() == NULL path in the same
function has the same leak, is reachable pre-authentication via any
TCP connect to port 445, and was empirically reproduced on UML
(ARCH=um, v7.0-rc7): a small number of forced allocation failures
were sufficient to put ksmbd into a state where every subsequent
connection attempt was rejected for the remainder of the boot.

ksmbd_kthread_fn() increments active_num_conn before calling
ksmbd_tcp_new_connection() and discards the return value, so when
alloc_transport() returns NULL the socket is released and -ENOMEM
returned without decrementing the counter. Each such failure
permanently consumes one slot from the max_connections pool; once
cumulative failures reach the cap, atomic_inc_return() hits the
threshold on every subsequent accept and every new connection is
rejected. The counter is only reset by module reload.

An unauthenticated remote attacker can drive the server toward the
memory pressure that makes alloc_transport() fail by holding open
connections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN
(0x00FFFFFF); natural transient allocation failures on a loaded
host produce the same drift more slowly.

Mirror the existing rollback pattern in ksmbd_kthread_fn(): on the
alloc_transport() failure path, decrement active_num_conn gated on
server_conf.max_connections.

Repro details: with the patch reverted, forced alloc_transport()
NULL returns leaked counter slots and subsequent connection
attempts -- including legitimate connects issued after the
forced-fail window had closed -- were all rejected with "Limit the
maximum number of connections". With this patch applied, the same
connect sequence produces no rejections and the counter cycles
cleanly between zero and one on every accept.
Published: 2026-05-01
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a resource exhaustion flaw in the Linux kernel’s SMB server (ksmbd), identified as CWE-911 and CWE-401. When a transport allocation fails during a new connection, the active connection counter is incremented but never decremented, causing that slot to be permanently lost. Repeated failures eventually exhaust the connection pool, after which every subsequent connection, including legitimate ones, is rejected with a “Limit the maximum number of connections” error, leading to a denial‑of‑service of the SMB service until the kernel module is reloaded or the system rebooted.

Affected Systems

All Linux systems that contain the ksmbd SMB server component in the kernel are affected. No specific kernel version range is listed, so any kernel build that lacks the commit that fixes the active_num_conn leak is vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a medium‑to‑high severity flaw. An unauthenticated attacker can trigger the vulnerability by opening TCP connections to port 445 and sending large packets that force allocation failures. The flaw leads to a permanent resource leak that exhausts the connection pool, after which legitimate connections are refused until the ksmbd module is reloaded or the system is rebooted, effectively denying SMB service. Although exploitation is technically possible, the EPSS score of < 1% indicates that in practice this vulnerability is likely to be exploited rarely; the issue is not listed in CISA KEV.

Generated by OpenCVE AI on May 6, 2026 at 21:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the commit that fixes the active_num_conn leak in ksmbd.
  • If a reboot is not feasible, reload the ksmbd kernel module to reset the active_num_conn counter and restore service temporarily.
  • Configure firewall or host‑based limits to restrict the number of simultaneous connections to TCP port 445, thereby reducing the opportunity for an attacker to trigger allocation failures before the patch is applied.

Generated by OpenCVE AI on May 6, 2026 at 21:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:6.2:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.2:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.2:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.2:rc8:*:*:*:*:*:*

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Sat, 02 May 2026 11:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References

Sat, 02 May 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Fri, 01 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb: server: fix active_num_conn leak on transport allocation failure Commit 77ffbcac4e56 ("smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()") addressed the kthread_run() failure path. The earlier alloc_transport() == NULL path in the same function has the same leak, is reachable pre-authentication via any TCP connect to port 445, and was empirically reproduced on UML (ARCH=um, v7.0-rc7): a small number of forced allocation failures were sufficient to put ksmbd into a state where every subsequent connection attempt was rejected for the remainder of the boot. ksmbd_kthread_fn() increments active_num_conn before calling ksmbd_tcp_new_connection() and discards the return value, so when alloc_transport() returns NULL the socket is released and -ENOMEM returned without decrementing the counter. Each such failure permanently consumes one slot from the max_connections pool; once cumulative failures reach the cap, atomic_inc_return() hits the threshold on every subsequent accept and every new connection is rejected. The counter is only reset by module reload. An unauthenticated remote attacker can drive the server toward the memory pressure that makes alloc_transport() fail by holding open connections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN (0x00FFFFFF); natural transient allocation failures on a loaded host produce the same drift more slowly. Mirror the existing rollback pattern in ksmbd_kthread_fn(): on the alloc_transport() failure path, decrement active_num_conn gated on server_conf.max_connections. Repro details: with the patch reverted, forced alloc_transport() NULL returns leaked counter slots and subsequent connection attempts -- including legitimate connects issued after the forced-fail window had closed -- were all rejected with "Limit the maximum number of connections". With this patch applied, the same connect sequence produces no rejections and the counter cycles cleanly between zero and one on every accept.
Title smb: server: fix active_num_conn leak on transport allocation failure
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:05:46.978Z

Reserved: 2026-03-09T15:48:24.133Z

Link: CVE-2026-31711

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T14:16:21.150

Modified: 2026-05-06T20:18:32.077

Link: CVE-2026-31711

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31711 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T21:45:13Z

Weaknesses