CVE-2026-31717

HIGH

ksmbd: validate owner of durable handle on reconnect

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-31717. PoCs published by XZ1r0, TurtleARM.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-31717, which targets a durable-handle reconnect access-control bypass in the Linux ksmbd SMB server. The exploit includes a setup script to build a vulnerable QEMU environment and a Python script to demonstrate the ACL bypass by hijacking orphaned durable handles.

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate owner of durable handle on reconnect Currently, ksmbd does not verify if the user attempting to reconnect to a durable handle is the same user who originally opened the file. This allows any authenticated user to hijack an orphaned durable handle by predicting or brute-forcing the persistent ID. According to MS-SMB2, the server MUST verify that the SecurityContext of the reconnect request matches the SecurityContext associated with the existing open. Add a durable_owner structure to ksmbd_file to store the original opener's UID, GID, and account name. and catpure the owner information when a file handle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner() to validate the identity of the requester during SMB2_CREATE (DHnC).

Exploits (2)

github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/CVE-2026-31717-KSMBD-Exploit

This repository contains a functional exploit for CVE-2026-31717, which targets a durable-handle reconnect access-control bypass in the Linux ksmbd SMB server. The exploit includes a setup script to build a vulnerable QEMU environment and a Python script to demonstrate the ACL bypass by hijacking orphaned durable handles.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Linux ksmbd (versions 6.12 to 6.19.x)
Auth required
Prerequisites: Authenticated SMB user access · Durable handles enabled in ksmbd.conf · SMB 2.1 or higher dialect
devstral-2 · analyzed May 21, 2026 Full analysis →
nomisec WORKING POC
by TurtleARM · poc
https://github.com/TurtleARM/CVE-2026-31717-KSMBD-Exploit

This repository contains a functional exploit for CVE-2026-31717, which allows an authenticated SMB user to hijack another user's orphaned durable handle in the Linux ksmbd server, bypassing POSIX ACL checks. The exploit demonstrates the vulnerability by showing how an attacker can read and write to a file owned by another user with restrictive permissions.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel ksmbd (versions 6.12 to 6.19.x)
Auth required
Prerequisites: durable handles enabled in ksmbd.conf · SMB 2.1 or higher dialect · authenticated SMB user session
devstral-2 · analyzed May 05, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 8.8
EPSS 0.0044
EPSS Percentile 34.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (18)
Linux/Linux < 6.9
Linux/Linux 6.12.92 - 6.12.*
Linux/Linux 6.18.25 - 6.18.*
Linux/Linux 6.6.142 - 6.6.*
Linux/Linux 6.6.32 - 6.6.142
Linux/Linux 6.6.32 - 6.7
Linux/Linux 6.9
Linux/Linux 7.0.2 - 7.0.*
Linux/Linux 7.1
Linux/Linux 7.1-rc1
... and 8 more
Published May 01, 2026
Tracked Since May 01, 2026