CVE-2026-31444
Published: 22 April 2026
Summary
CVE-2026-31444 is a critical-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation through kernel patching directly resolves the use-after-free and NULL dereference race conditions in ksmbd's smb_grant_oplock() function.
Configuring the system to least functionality by disabling the unnecessary ksmbd kernel module eliminates the attack surface for the oplock publication vulnerability.
Kernel memory protections such as KASLR and non-executable memory mitigate exploitation of the use-after-free defect in concurrent list operations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of ksmbd SMB service (public-facing or remote service) via UAF/NPD race in oplock/lease handling enables initial access and kernel-level RCE/priv-escalation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free and NULL deref in smb_grant_oplock() smb_grant_oplock() has two issues in the oplock publication sequence: 1) opinfo is linked into ci->m_op_list (via opinfo_add) before add_lease_global_list() is called. If…
more
add_lease_global_list() fails (kmalloc returns NULL), the error path frees the opinfo via __free_opinfo() while it is still linked in ci->m_op_list. Concurrent m_op_list readers (opinfo_get_list, or direct iteration in smb_break_all_levII_oplock) dereference the freed node. 2) opinfo->o_fp is assigned after add_lease_global_list() publishes the opinfo on the global lease list. A concurrent find_same_lease_key() can walk the lease list and dereference opinfo->o_fp->f_ci while o_fp is still NULL. Fix by restructuring the publication sequence to eliminate post-publish failure: - Set opinfo->o_fp before any list publication (fixes NULL deref). - Preallocate lease_table via alloc_lease_table() before opinfo_add() so add_lease_global_list() becomes infallible after publication. - Keep the original m_op_list publication order (opinfo_add before lease list) so concurrent opens via same_client_has_lease() and opinfo_get_list() still see the in-flight grant. - Use opinfo_put() instead of __free_opinfo() on err_out so that the RCU-deferred free path is used. This also requires splitting add_lease_global_list() to take a preallocated lease_table and changing its return type from int to void, since it can no longer fail.
Deeper analysisAI
CVE-2026-31444 is a use-after-free and NULL pointer dereference vulnerability in the Linux kernel's ksmbd module, specifically within the smb_grant_oplock() function. The issues arise during the oplock publication sequence: first, an opinfo structure is added to ci->m_op_list before add_lease_global_list(), which can fail due to kmalloc returning NULL, leading to the opinfo being freed while still linked and accessible to concurrent readers; second, opinfo->o_fp is set after publication to the global lease list, allowing concurrent find_same_lease_key() calls to dereference a NULL o_fp.
A remote network attacker with no privileges or user interaction required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, score 9.8) can exploit this during SMB oplock granting operations. Exploitation involves triggering race conditions in ksmbd's lease handling, potentially leading to kernel crashes, denial of service, or more severe impacts like arbitrary code execution due to the use-after-free and NULL dereference in kernel space.
Mitigation requires updating to patched Linux kernel versions incorporating the fixes from the referenced stable commits, such as https://git.kernel.org/stable/c/48623ec358c1c600fa1e38368746f933e0f1a617 and others. These patches restructure the sequence by setting opinfo->o_fp before list publication, preallocating lease_table to make add_lease_global_list() infallible post-publication, and using RCU-deferred freeing with opinfo_put() on errors.
Details
- CWE(s)