Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger

When a durable file handle survives session disconnect (TCP close without
SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the
handle for later reconnection. However, it did not clean up the byte-range
locks on fp->lock_list.

Later, when the durable scavenger thread times out and calls
__ksmbd_close_fd(NULL, fp), the lock cleanup loop did:

spin_lock(&fp->conn->llist_lock);

This caused a slab use-after-free because fp->conn was NULL and the
original connection object had already been freed by
ksmbd_tcp_disconnect().

The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were
left dangling on the freed conn->lock_list while fp->conn was nulled out.

To fix this issue properly, we need to handle the lifetime of
smb_lock->clist across three paths:
- Safely skip clist deletion when list is empty and fp->conn is NULL.
- Remove the lock from the old connection's lock_list in
session_fd_check()
- Re-add the lock to the new connection's lock_list in
ksmbd_reopen_durable_fd().
Published: 2026-05-01
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel's ksmbd SMB service, a use‑after‑free flaw was discovered. When a session disconnects without a SMB2_LOGOFF, a durable file handle remains associated with a NULL connection pointer and leaves byte‑range lock entries dangling. The subsequent durable scavenger thread attempts to clean up those locks while the connection object has already been freed, causing a slab use‑after‑free vulnerability that can lead to kernel memory corruption or code execution. The flaw is a classic use‑after‑free (CWE‑825).

Affected Systems

This issue affects any Linux distribution that ships with the ksmbd kernel module and has not applied the patch referenced by the provided Git commits. No specific kernel version list is disclosed, so all current kernels that include the vulnerable ksmbd code may be impacted. The patch is included in the kernel source; therefore vendor kernel updates that incorporate the Git commit should remediate the problem.

Risk and Exploitability

The CVSS score is not available, but the EPSS score is not reported and KEV does not list this vulnerability, indicating no detected exploitation at present. Nonetheless, use‑after‑free in kernel space can enable remote code execution if an attacker can interact with the SMB service. The likely attack vector is a remote SMB client providing a durable session that later times out while attempting to close the file descriptor. Because this flaw can corrupt kernel memory, the impact is high, and systems running ksmbd should prioritize applying the patched kernel.

Generated by OpenCVE AI on May 2, 2026 at 10:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel update that contains the ksmbd use‑after‑free fix and verify the patch via the referenced Git commits.
  • If updating is not immediately possible, disable the ksmbd SMB server or restrict SMB network access to trusted hosts.
  • Reboot the system after any kernel update to clear stale durable handles and ensure the patch takes effect.
  • Continuously monitor kernel logs for unexpected panics or lock errors that could indicate lingering issues.

Generated by OpenCVE AI on May 2, 2026 at 10:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References

Fri, 01 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger When a durable file handle survives session disconnect (TCP close without SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the handle for later reconnection. However, it did not clean up the byte-range locks on fp->lock_list. Later, when the durable scavenger thread times out and calls __ksmbd_close_fd(NULL, fp), the lock cleanup loop did: spin_lock(&fp->conn->llist_lock); This caused a slab use-after-free because fp->conn was NULL and the original connection object had already been freed by ksmbd_tcp_disconnect(). The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were left dangling on the freed conn->lock_list while fp->conn was nulled out. To fix this issue properly, we need to handle the lifetime of smb_lock->clist across three paths: - Safely skip clist deletion when list is empty and fp->conn is NULL. - Remove the lock from the old connection's lock_list in session_fd_check() - Re-add the lock to the new connection's lock_list in ksmbd_reopen_durable_fd().
Title ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T13:56:12.680Z

Reserved: 2026-03-09T15:48:24.134Z

Link: CVE-2026-31718

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T14:16:21.963

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31718

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31718 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:15:24Z

Weaknesses