CVE 9.8 CRITICAL

ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger_CVE-2026-31718

May 3, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger

When a durable file handle survives session disconnect (TCP close without
SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the
handle for later reconnection. However, it did not clean up the byte-range
locks on fp->lock_list.

Later, when the durable scavenger thread times out and calls
__ksmbd_close_fd(NULL, fp), the lock cleanup loop did:

spin_lock(&fp->conn->llist_lock);

This caused a slab use-after-free because fp->conn was NULL and the
original connection object had already been freed by
ksmbd_tcp_disconnect().

The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were
left dangling on the freed conn->lock_list while fp->conn was nulled out.

To fix this issue properly, we need to handle the lifetime of
smb_lock->clist across three paths:
- Safely skip clist deletion when list is empty and fp->conn is NULL.
- Remove the lock from the old connection's lock_list in
session_fd_check()
- Re-add the lock to the new connection's lock_list in
ksmbd_reopen_durable_fd().

AI Analysis

Use-after-free vulnerability in ksmbd via durable scavenger

Basic Information

ID CVE-2026-31718

Source Linux

Published May 1, 2026 at 13:56

Modified May 3, 2026 at 05:45

Affected Product

Vendor Linux

Product Linux

Version c8efcc786146a951091588e5fa7e3c754850cb3c

Affected Versions Linux Linux c8efcc786146a951091588e5fa7e3c754850cb3c
Linux Linux c8efcc786146a951091588e5fa7e3c754850cb3c
Linux Linux c8efcc786146a951091588e5fa7e3c754850cb3c
Linux Linux c8efcc786146a951091588e5fa7e3c754850cb3c
Linux Linux 8df4bcdb0a4232192b2445256c39b787d58ef14d
Linux Linux 6.9

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Linux

Product ksmbd

Version c8efcc786146a951091588e5fa7e3c754850cb3c

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger\n\nWhen a durable file handle survives session disconnect (TCP close without\nSMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the\nhandle for later reconnection. However, it did not clean up the byte-range\nlocks on fp->lock_list.\n\nLater, when the durable scavenger thread times out and calls\n__ksmbd_close_fd(NULL, fp), the lock cleanup loop did:\n\n    spin_lock(&fp->conn->llist_lock);\n\nThis caused a slab use-after-free because fp->conn was NULL and the\noriginal connection object had already been freed by\nksmbd_tcp_disconnect().\n\nThe root cause is asymmetric cleanup: lock entries (smb_lock->clist) were\nleft dangling on the freed conn->lock_list while fp->conn was nulled out.\n\nTo fix this issue properly, we need to handle the lifetime of\nsmb_lock->clist across three paths:\n - Safely skip clist deletion when list is empty and fp->conn is NULL.\n - Remove the lock from the old connection's lock_list in\n   session_fd_check()\n - Re-add the lock to the new connection's lock_list in\n   ksmbd_reopen_durable_fd().",
    "published": "2026-05-01T13:56:12.680Z",
    "modified": "2026-05-03T05:45:38.947Z",
    "type": "cve",
    "title": "ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/e33c65f011980b4ad4abfd93585ec2079856368f\nhttps://git.kernel.org/stable/c/3d6682726c2d3a46d31dae88b8166786b09b03ad\nhttps://git.kernel.org/stable/c/b34fc42cfe922e551f7a27d3ac3bb016e41d7dd9\nhttps://git.kernel.org/stable/c/235e32320a470fcd3998fb3774f2290a0eb302a1",
    "id": "CVE-2026-31718",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux c8efcc786146a951091588e5fa7e3c754850cb3c\nLinux Linux c8efcc786146a951091588e5fa7e3c754850cb3c\nLinux Linux c8efcc786146a951091588e5fa7e3c754850cb3c\nLinux Linux c8efcc786146a951091588e5fa7e3c754850cb3c\nLinux Linux 8df4bcdb0a4232192b2445256c39b787d58ef14d\nLinux Linux 6.9",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "c8efcc786146a951091588e5fa7e3c754850cb3c",
    "vendor": "Linux",
    "ai_description": "Use-after-free vulnerability in ksmbd via durable scavenger",
    "ai_severity": "Critical",
    "ai_vendor": "Linux",
    "ai_product": "ksmbd",
    "ai_version": "c8efcc786146a951091588e5fa7e3c754850cb3c",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply