CVE-2026-31717 - Vulnerability Details

- ksmbd: validate owner of durable handle on reconnect

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: validate owner of durable handle on reconnect

Currently, ksmbd does not verify if the user attempting to reconnect
to a durable handle is the same user who originally opened the file.
This allows any authenticated user to hijack an orphaned durable handle
by predicting or brute-forcing the persistent ID.

According to MS-SMB2, the server MUST verify that the SecurityContext
of the reconnect request matches the SecurityContext associated with
the existing open.
Add a durable_owner structure to ksmbd_file to store the original opener's
UID, GID, and account name. and catpure the owner information when a file
handle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner()
to validate the identity of the requester during SMB2_CREATE (DHnC).

Published: 2026-05-01

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s ksmbd daemon does not verify that the user reconnecting to a durable handle is the original owner of that open. This flaw allows any authenticated user to predict or brute‑force the persistent identifier and hijack an orphaned durable handle, granting them access to the protected file’s contents or the ability to alter it. The defect is a CWE‑708 vulnerability and could be exploited to gain unauthorized access to files via SMBv2.

Affected Systems

The vulnerability exists in any Linux installation running an unpatched version of the mainline kernel that contains the ksmbd module. All distributions that ship a kernel without the durable_owner structure and the ksmbd_vfs_compare_durable_owner validation are potentially affected. The fix is provided upstream; users should check against the commit referenced in the supplied Git links.

Risk and Exploitability

No EPSS score is available and the issue is not listed in CISA’s KEV catalog, so a quantified severity is not provided. Attacks require authenticated SMB access and the ability to engage durable handles; no public exploits are reported, but the logic that an adversary can brute‑force the persistent ID makes the flaw technically exploitable with moderate effort in environments where durable handles are used for long‑lived file sessions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c8efcc786146a951091588e5fa7e3c754850cb3c`	affected	< 00ce8d6789dae72d042a4522264964c72891ca37
`c8efcc786146a951091588e5fa7e3c754850cb3c`	affected	< c908c853f304a4969b5aa10eba0b50350cc65b80
`c8efcc786146a951091588e5fa7e3c754850cb3c`	affected	< 49110a8ce654bbe56bef7c5e44cce31f4b102b8a
`8df4bcdb0a4232192b2445256c39b787d58ef14d`	affected	—

Linux

affected

Version	Status	Constraints
`6.9`	affected	—
`0`	unaffected	< 6.9
`6.18.25`	unaffected	≤ 6.18.*
`7.0.2`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c8efcc786146a951091588e5fa7e3c754850cb3c,00ce8d6789dae72d042a4522264964c72891ca37)`	affected	code_commit	—
`[c8efcc786146a951091588e5fa7e3c754850cb3c,c908c853f304a4969b5aa10eba0b50350cc65b80)`	affected	code_commit	—
`[c8efcc786146a951091588e5fa7e3c754850cb3c,49110a8ce654bbe56bef7c5e44cce31f4b102b8a)`	affected	code_commit	—
`8df4bcdb0a4232192b2445256c39b787d58ef14d`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.9`	affected	generic	—
`[0,6.9)`	unaffected	generic	—
`[6.18.25,6.19.0)`	unaffected	semver	—
`[7.0.2,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply an updated Linux kernel release that includes the patch adding durable_owner validation to ksmbd.
If an immediate kernel update is not possible, configure ksmbd to disallow durable handles or disable the ksmbd service entirely to prevent reuse of orphaned handles.
Deploy network monitoring to detect anomalous SMB reconnection patterns that might indicate brute‑force attempts against durable handles.

Generated by OpenCVE AI on May 2, 2026 at 10:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/00ce8d6789dae72d042a4522264964c72891ca37
https://git.kernel.org/stable/c/49110a8ce654bbe56bef7c5e44cce31f4b102b8a
https://git.kernel.org/stable/c/c908c853f304a4969b5aa10eba0b50350cc65b80
https://lore.kernel.org/linux-cve-announce/2026050124-CVE-2026-31717-f68b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31717
https://www.cve.org/CVERecord?id=CVE-2026-31717

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-708
References		https://lore.kernel.org/linux-cve-announce/2026050124-CVE-2026-31717-f68b@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31717 https://www.cve.org/CVERecord?id=CVE-2026-31717

Fri, 01 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate owner of durable handle on reconnect Currently, ksmbd does not verify if the user attempting to reconnect to a durable handle is the same user who originally opened the file. This allows any authenticated user to hijack an orphaned durable handle by predicting or brute-forcing the persistent ID. According to MS-SMB2, the server MUST verify that the SecurityContext of the reconnect request matches the SecurityContext associated with the existing open. Add a durable_owner structure to ksmbd_file to store the original opener's UID, GID, and account name. and catpure the owner information when a file handle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner() to validate the identity of the requester during SMB2_CREATE (DHnC).
Title		ksmbd: validate owner of durable handle on reconnect
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/00ce8d6789dae72d042a4522264964c72891ca37 https://git.kernel.org/stable/c/49110a8ce654bbe56bef7c5e44cce31f4b102b8a https://git.kernel.org/stable/c/c908c853f304a4969b5aa10eba0b50350cc65b80

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T13:56:12.012Z

Updated: 2026-05-01T13:56:12.012Z

Reserved: 2026-03-09T15:48:24.134Z

Link: CVE-2026-31717

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T14:16:21.860

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31717

Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31717 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T10:45:40Z

Weaknesses

CWE-708

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object