CVE-2026-31409
Published: 06 April 2026
Summary
CVE-2026-31409 is a high-severity an unspecified weakness vulnerability in Kernel (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-24 (Fail in Known State) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the ksmbd state management flaw through kernel patching to prevent exploitation via incorrect connection binding states.
Ensures proper error handling in the failed SMB2_SESSION_SETUP binding path by requiring state reset, avoiding compromise of subsequent session lookups.
Requires the ksmbd module to fail to a known secure state on binding request failures, preventing persistent incorrect conn->binding flags that lead to global session table fallback.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The ksmbd SMB server logic flaw (state corruption on failed multichannel SESSION_SETUP binding) directly enables remote exploitation of the SMB service (T1210) by a low-privileged network attacker, resulting in unauthorized session access and high-impact effects that constitute privilege escalation (T1068).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset conn->binding on failed binding request When a multichannel SMB2_SESSION_SETUP request with SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true but never clears it on the error path. This leaves…
more
the connection in a binding state where all subsequent ksmbd_session_lookup_all() calls fall back to the global sessions table. This fix it by clearing conn->binding = false in the error path.
Deeper analysisAI
CVE-2026-31409 is a vulnerability in the Linux kernel's ksmbd module, which implements an SMB server. The issue arises during handling of a multichannel SMB2_SESSION_SETUP request with the SMB2_SESSION_REQ_FLAG_BINDING flag. If the binding request fails, ksmbd sets conn->binding to true but fails to clear it on the error path. This leaves the connection in an incorrect binding state, causing all subsequent ksmbd_session_lookup_all() calls to fall back to the global sessions table instead of using per-connection lookups.
An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impacts on confidentiality, integrity, and availability. By triggering the failed binding, the attacker corrupts the connection state, potentially disrupting session handling and enabling unauthorized access or interference via the global sessions table fallback.
Mitigation involves applying kernel patches that clear conn->binding = false on the error path for failed binding requests. Relevant stable kernel commits are available at https://git.kernel.org/stable/c/282343cf8a4a5a3603b1cb0e17a7083e4a593b03, https://git.kernel.org/stable/c/6260fc85ed1298a71d24a75d01f8b2e56d489a60, https://git.kernel.org/stable/c/6ebef4a220a1ebe345de899ebb9ae394206fe921, https://git.kernel.org/stable/c/89afe5e2dbea6e9d8e5f11324149d06fa3a4efca, and https://git.kernel.org/stable/c/9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772. Security practitioners should update affected Linux kernels running ksmbd to versions incorporating these fixes.
Details
- CWE(s)