Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger

When a durable file handle survives session disconnect (TCP close without
SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the
handle for later reconnection. However, it did not clean up the byte-range
locks on fp->lock_list.

Later, when the durable scavenger thread times out and calls
__ksmbd_close_fd(NULL, fp), the lock cleanup loop did:

spin_lock(&fp->conn->llist_lock);

This caused a slab use-after-free because fp->conn was NULL and the
original connection object had already been freed by
ksmbd_tcp_disconnect().

The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were
left dangling on the freed conn->lock_list while fp->conn was nulled out.

To fix this issue properly, we need to handle the lifetime of
smb_lock->clist across three paths:
- Safely skip clist deletion when list is empty and fp->conn is NULL.
- Remove the lock from the old connection's lock_list in
session_fd_check()
- Re-add the lock to the new connection's lock_list in
ksmbd_reopen_durable_fd().
Published: 2026-05-01
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel's ksmbd SMB service, a use‑after‑free flaw was discovered. When a session disconnects without a SMB2_LOGOFF, a durable file handle remains associated with a NULL connection pointer and leaves byte‑range lock entries dangling. The subsequent durable scavenger thread attempts to clean up those locks while the connection object has already been freed, causing a slab use‑after‑free vulnerability that can lead to kernel memory corruption or code execution. The flaw is a classic use‑after‑free (CWE‑416).

Affected Systems

This issue affects any Linux distribution that ships with the ksmbd kernel module and has not applied the patch referenced by the provided Git commits. No specific kernel version list is disclosed, so all current kernels that include the vulnerable ksmbd code may be impacted. The patch is included in the kernel source; therefore vendor kernel updates that incorporate the Git commit should remediate the problem.

Risk and Exploitability

The CVSS score is 9.8, indicating a high severity vulnerability. The EPSS score is < 1%, and the vulnerability is not listed in CISA KEV, suggesting no known exploitation yet. Nonetheless, the use‑after‑free flaw can enable remote code execution via the SMB service when a client maintains a durable session that later times out while attempting to close the file descriptor. Due to the kernel memory corruption potential, the impact remains high, and systems running ksmbd should update promptly.

Generated by OpenCVE AI on May 6, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel update that contains the ksmbd use‑after‑free fix and verify the patch via the referenced Git commits.
  • If updating is not immediately possible, disable the ksmbd SMB server or restrict SMB network access to trusted hosts.
  • Reboot the system after any kernel update to clear stale durable handles and ensure the patch takes effect.
  • Continuously monitor kernel logs for unexpected panics or lock errors that could indicate lingering issues.

Generated by OpenCVE AI on May 6, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 15:45:00 +0000

Type Values Removed Values Added
References

Wed, 06 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References

Fri, 01 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger When a durable file handle survives session disconnect (TCP close without SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the handle for later reconnection. However, it did not clean up the byte-range locks on fp->lock_list. Later, when the durable scavenger thread times out and calls __ksmbd_close_fd(NULL, fp), the lock cleanup loop did: spin_lock(&fp->conn->llist_lock); This caused a slab use-after-free because fp->conn was NULL and the original connection object had already been freed by ksmbd_tcp_disconnect(). The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were left dangling on the freed conn->lock_list while fp->conn was nulled out. To fix this issue properly, we need to handle the lifetime of smb_lock->clist across three paths: - Safely skip clist deletion when list is empty and fp->conn is NULL. - Remove the lock from the old connection's lock_list in session_fd_check() - Re-add the lock to the new connection's lock_list in ksmbd_reopen_durable_fd().
Title ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:05:49.998Z

Reserved: 2026-03-09T15:48:24.134Z

Link: CVE-2026-31718

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-05-01T14:16:21.963

Modified: 2026-05-17T16:16:16.300

Link: CVE-2026-31718

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31718 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:45:13Z

Weaknesses