Cyber Resilience

CVE-2026-31409

HighUpdated

Published: 06 April 2026

Published
06 April 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0045 36.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31409 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 36.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-24 (Fail in Known State) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-31409 is a vulnerability in the Linux kernel's ksmbd module, which implements an SMB server. The issue arises during handling of a multichannel SMB2_SESSION_SETUP request with the SMB2_SESSION_REQ_FLAG_BINDING flag. If the binding request fails, ksmbd sets conn->binding to true but fails to clear it on the error path. This leaves the connection in an incorrect binding state, causing all subsequent ksmbd_session_lookup_all() calls to fall back to the global sessions table instead of using per-connection lookups.

An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impacts on confidentiality, integrity, and availability. By triggering the failed binding, the attacker corrupts the connection state, potentially disrupting session handling and enabling unauthorized access or interference via the global sessions table fallback.

Mitigation involves applying kernel patches that clear conn->binding = false on the error path for failed binding requests. Relevant stable kernel commits are available at https://git.kernel.org/stable/c/282343cf8a4a5a3603b1cb0e17a7083e4a593b03, https://git.kernel.org/stable/c/6260fc85ed1298a71d24a75d01f8b2e56d489a60, https://git.kernel.org/stable/c/6ebef4a220a1ebe345de899ebb9ae394206fe921, https://git.kernel.org/stable/c/89afe5e2dbea6e9d8e5f11324149d06fa3a4efca, and https://git.kernel.org/stable/c/9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772. Security practitioners should update affected Linux kernels running ksmbd to versions incorporating these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset conn->binding on failed binding request When a multichannel SMB2_SESSION_SETUP request with SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true but never clears it on the error path. This leaves…

more

the connection in a binding state where all subsequent ksmbd_session_lookup_all() calls fall back to the global sessions table. This fix it by clearing conn->binding = false in the error path.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The ksmbd SMB server logic flaw (state corruption on failed multichannel SESSION_SETUP binding) directly enables remote exploitation of the SMB service (T1210) by a low-privileged network attacker, resulting in unauthorized session access and high-impact effects that constitute privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-43011Same product: Linux Linux Kernel
CVE-2026-31717Same product: Linux Linux Kernel
CVE-2026-23461Same product: Linux Linux Kernel
CVE-2026-23193Same product: Linux Linux Kernel
CVE-2026-31432Same product: Linux Linux Kernel
CVE-2026-31402Same product: Linux Linux Kernel
CVE-2026-23098Same product: Linux Linux Kernel
CVE-2026-31629Same product: Linux Linux Kernel
CVE-2026-31712Same product: Linux Linux Kernel
CVE-2026-31408Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 5.15 — 6.1.167 · 6.2 — 6.6.130 · 6.7 — 6.12.78

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the ksmbd state management flaw through kernel patching to prevent exploitation via incorrect connection binding states.

prevent

Ensures proper error handling in the failed SMB2_SESSION_SETUP binding path by requiring state reset, avoiding compromise of subsequent session lookups.

prevent

Requires the ksmbd module to fail to a known secure state on binding request failures, preventing persistent incorrect conn->binding flags that lead to global session table fallback.

References