CVE-2026-31477
Published: 22 April 2026
Summary
CVE-2026-31477 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 21.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely application of vendor patches directly remediates the memory leak and NULL dereference flaws in ksmbd's smb2_lock() function, preventing exploitation.
Robust error handling ensures secure management of exceptions in kernel locking operations, avoiding resource leaks and crashes from improper cleanup or NULL dereferences.
Protection of system resource availability mitigates denial-of-service from memory exhaustion caused by repeated exploitation of the locking error paths.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in ksmbd SMB server enables remote unauthenticated exploitation of NULL dereference and memory leaks to crash the kernel or exhaust resources, directly mapping to application/system exploitation for DoS.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix memory leaks and NULL deref in smb2_lock() smb2_lock() has three error handling issues after list_del() detaches smb_lock from lock_list at no_check_cl: 1) If vfs_lock_file() returns an unexpected error…
more
in the non-UNLOCK path, goto out leaks smb_lock and its flock because the out: handler only iterates lock_list and rollback_list, neither of which contains the detached smb_lock. 2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out leaks smb_lock and flock for the same reason. The error code returned to the dispatcher is also stale. 3) In the rollback path, smb_flock_init() can return NULL on allocation failure. The result is dereferenced unconditionally, causing a kernel NULL pointer dereference. Add a NULL check to prevent the crash and clean up the bookkeeping; the VFS lock itself cannot be rolled back without the allocation and will be released at file or connection teardown. Fix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before the if(!rc) check in the UNLOCK branch so all exit paths share one free site, and by freeing smb_lock and flock before goto out in the non-UNLOCK branch. Propagate the correct error code in both cases. Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding a NULL check for locks_free_lock(rlock) in the shared cleanup. Found via call-graph analysis using sqry.
Deeper analysisAI
CVE-2026-31477 affects the Linux kernel's ksmbd module, which implements an SMB server. The vulnerability resides in the smb2_lock() function and manifests as three error-handling flaws: memory leaks of the smb_lock structure and its associated flock in the non-UNLOCK path on unexpected vfs_lock_file() errors and in the UNLOCK path on -ENOENT returns, plus a NULL pointer dereference in the rollback path due to unconditional dereference of a potentially NULL result from smb_flock_init() on allocation failure. These issues were published on 2026-04-22 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and are classified under CWE-476 (NULL Pointer Dereference).
Remote network attackers require no privileges or user interaction to exploit the flaws over the SMB protocol. Successful exploitation can trigger memory leaks, leading to gradual resource exhaustion, or induce a kernel crash through the NULL dereference, both resulting in denial-of-service conditions against the affected system.
Patches addressing these issues are available in Linux kernel stable repositories via the following commits: https://git.kernel.org/stable/c/309b44ed684496ed3f9c5715d10b899338623512, https://git.kernel.org/stable/c/3cdacd11b41569ce75b3162142240f2355e04900, https://git.kernel.org/stable/c/91aeaa7256006d79a37298f5a1df23325db91599, https://git.kernel.org/stable/c/aab42f0795620cf0d3955a520f571f697d0f9a2a, and https://git.kernel.org/stable/c/c9b95ef6f5039f19e46c3a521a4fe1752d91dfe9. The fixes consolidate lock freeing before shared exit paths, propagate accurate error codes, add a NULL check before VFS unlock in rollback, and guard dereferences to prevent leaks, crashes, and stale errors.
The vulnerability was identified through call-graph analysis using sqry. No public information indicates real-world exploitation.
Details
- CWE(s)