CVE-2026-31536
Published: 24 April 2026
Summary
CVE-2026-31536 is a critical-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely patching of the Linux kernel flaw in SMB server send completion handling to prevent exploitation of CVE-2026-31536.
Vulnerability scanning identifies systems with vulnerable kernel versions exposing the SMB/RDMA flaw for prioritized remediation.
System monitoring detects indicators of exploitation such as anomalous SMB Direct traffic or kernel crashes from mishandled RDMA completions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated RCE in Linux kernel SMBDirect server (public-facing network service) directly enables T1190 (Exploit Public-Facing Application) and T1210 (Exploitation of Remote Services).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: smb: server: let send_done handle a completion without IB_SEND_SIGNALED With smbdirect_send_batch processing we likely have requests without IB_SEND_SIGNALED, which will be destroyed in the final request that has IB_SEND_SIGNALED set.…
more
If the connection is broken all requests are signaled even without explicit IB_SEND_SIGNALED.
Deeper analysisAI
CVE-2026-31536 is a critical vulnerability in the Linux kernel's SMB server component, specifically affecting the handling of send completions in smbdirect_send_batch processing. The issue arises because requests without the IB_SEND_SIGNALED flag are not properly managed by the send_done function and are instead destroyed based on the final request that has the flag set. Additionally, when a connection is broken, all requests are signaled regardless of the explicit IB_SEND_SIGNALED setting, leading to potential mishandling. This flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data corruption, or denial of service on affected systems running vulnerable Linux kernel versions with SMB server functionality enabled.
Mitigation involves applying the relevant kernel patches referenced in the stable kernel repository, including commits 24082642654f3e5149913946e89c00a297a8868f, 9da82dc73cb03e85d716a2609364572367a5ff47, and e38b415c024bc3b6321bf8650dbf3f4aab8e74b3. Security practitioners should update to a patched kernel version as soon as possible, particularly for systems exposing SMB services over RDMA such as InfiniBand.
Details
- CWE(s)