CVE-2026-31717 - Vulnerability Details

- ksmbd: validate owner of durable handle on reconnect

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: validate owner of durable handle on reconnect

Currently, ksmbd does not verify if the user attempting to reconnect
to a durable handle is the same user who originally opened the file.
This allows any authenticated user to hijack an orphaned durable handle
by predicting or brute-forcing the persistent ID.

According to MS-SMB2, the server MUST verify that the SecurityContext
of the reconnect request matches the SecurityContext associated with
the existing open.
Add a durable_owner structure to ksmbd_file to store the original opener's
UID, GID, and account name. and catpure the owner information when a file
handle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner()
to validate the identity of the requester during SMB2_CREATE (DHnC).

Published: 2026-05-01

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The ksmbd daemon in the Linux kernel does not check that a user reconnecting to a durable handle is the original opener. Because of this, an authenticated user who can predict or brute‑force the persistent identifier could hijack an orphaned handle, gaining access to files opened by another user. This flaw is classified as CWE‑708, indicating a user impersonation weakness.

Affected Systems

Any Linux installation running an unpatched mainline kernel that ships with the ksmbd module is affected. Versions prior to the commit that added the durable_owner structure and the ksmbd_vfs_compare_durable_owner validation are vulnerable. All distributions that include those kernel releases without the patch are potentially impacted.

Risk and Exploitability

The CVSS score of 8.8 signifies a high severity. With an EPSS score of less than 1% and no listing in CISA’s KEV catalog, there is no evidence of public exploitation. Attackers would need authenticated SMB access and the ability to use durable handles; it is inferred that brute‑forcing the persistent ID is a likely method to hijack a handle, but this inference comes from the description of the vulnerability and is not directly described in the advisory.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c8efcc786146a951091588e5fa7e3c754850cb3c`	affected	< 00ce8d6789dae72d042a4522264964c72891ca37
`c8efcc786146a951091588e5fa7e3c754850cb3c`	affected	< c908c853f304a4969b5aa10eba0b50350cc65b80
`c8efcc786146a951091588e5fa7e3c754850cb3c`	affected	< 49110a8ce654bbe56bef7c5e44cce31f4b102b8a
`8df4bcdb0a4232192b2445256c39b787d58ef14d`	affected	—
`6.6.32`	affected	< 6.7

Linux

affected

Version	Status	Constraints
`6.9`	affected	—
`0`	unaffected	< 6.9
`6.18.25`	unaffected	≤ 6.18.*
`7.0.2`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.1:rc1::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c8efcc786146a951091588e5fa7e3c754850cb3c,00ce8d6789dae72d042a4522264964c72891ca37)`	affected	code_commit	—
`[c8efcc786146a951091588e5fa7e3c754850cb3c,c908c853f304a4969b5aa10eba0b50350cc65b80)`	affected	code_commit	—
`[c8efcc786146a951091588e5fa7e3c754850cb3c,49110a8ce654bbe56bef7c5e44cce31f4b102b8a)`	affected	code_commit	—
`8df4bcdb0a4232192b2445256c39b787d58ef14d`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.9`	affected	generic	—
`[0,6.9)`	unaffected	generic	—
`[6.18.25,6.19.0)`	unaffected	semver	—
`[7.0.2,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the latest Linux kernel version that contains the ksmbd patch and the durable_owner validation
If a kernel update cannot be performed immediately, configure ksmbd to disable durable handles or set the appropriate kernel parameter to reject orphaned durable handles
As a temporary measure, stop the ksmbd service to eliminate the attack surface while awaiting a kernel update

Generated by OpenCVE AI on May 6, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00045.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/00ce8d6789dae72d042a4522264964c72891ca37
https://git.kernel.org/stable/c/49110a8ce654bbe56bef7c5e44cce31f4b102b8a
https://git.kernel.org/stable/c/c908c853f304a4969b5aa10eba0b50350cc65b80
https://lore.kernel.org/linux-cve-announce/2026050124-CVE-2026-31717-f68b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31717
https://www.cve.org/CVERecord?id=CVE-2026-31717

History

Wed, 06 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:7.1:rc1::::::

Sun, 03 May 2026 06:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-708
References		https://lore.kernel.org/linux-cve-announce/2026050124-CVE-2026-31717-f68b@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31717 https://www.cve.org/CVERecord?id=CVE-2026-31717

Fri, 01 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate owner of durable handle on reconnect Currently, ksmbd does not verify if the user attempting to reconnect to a durable handle is the same user who originally opened the file. This allows any authenticated user to hijack an orphaned durable handle by predicting or brute-forcing the persistent ID. According to MS-SMB2, the server MUST verify that the SecurityContext of the reconnect request matches the SecurityContext associated with the existing open. Add a durable_owner structure to ksmbd_file to store the original opener's UID, GID, and account name. and catpure the owner information when a file handle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner() to validate the identity of the requester during SMB2_CREATE (DHnC).
Title		ksmbd: validate owner of durable handle on reconnect
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/00ce8d6789dae72d042a4522264964c72891ca37 https://git.kernel.org/stable/c/49110a8ce654bbe56bef7c5e44cce31f4b102b8a https://git.kernel.org/stable/c/c908c853f304a4969b5aa10eba0b50350cc65b80

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T13:56:12.012Z

Updated: 2026-05-23T16:05:49.035Z

Reserved: 2026-03-09T15:48:24.134Z

Link: CVE-2026-31717

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-01T14:16:21.860

Modified: 2026-05-06T21:08:51.140

Link: CVE-2026-31717

Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31717 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-06T23:15:17Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object