CVE-2026-31718

CRITICAL

ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger When a durable file handle survives session disconnect (TCP close without SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the handle for later reconnection. However, it did not clean up the byte-range locks on fp->lock_list. Later, when the durable scavenger thread times out and calls __ksmbd_close_fd(NULL, fp), the lock cleanup loop did: spin_lock(&fp->conn->llist_lock); This caused a slab use-after-free because fp->conn was NULL and the original connection object had already been freed by ksmbd_tcp_disconnect(). The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were left dangling on the freed conn->lock_list while fp->conn was nulled out. To fix this issue properly, we need to handle the lifetime of smb_lock->clist across three paths: - Safely skip clist deletion when list is empty and fp->conn is NULL. - Remove the lock from the old connection's lock_list in session_fd_check() - Re-add the lock to the new connection's lock_list in ksmbd_reopen_durable_fd().

Scores

CVSS v3 9.8
EPSS 0.0036
EPSS Percentile 27.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-416
Status published
Products (21)
linux/Kernel < 6.6.140linux
linux/Kernel 6.13.0 - 7.0.2linux
linux/Kernel 6.7.0 - 6.12.84linux
linux/Kernel 6.9.0 - 6.18.25linux
Linux/Linux < 6.9
Linux/Linux 6.12.84 - 6.12.*
Linux/Linux 6.18.25 - 6.18.*
Linux/Linux 6.6.140 - 6.6.*
Linux/Linux 6.6.32 - 6.6.140
Linux/Linux 6.9
... and 11 more
Published May 01, 2026
Tracked Since May 01, 2026