CVE-2026-31538
Published: 24 April 2026
Summary
CVE-2026-31538 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the specific race condition vulnerability through application of the upstream Linux kernel patches that introduce a dedicated counter for available SMB recv credits.
Protects against denial-of-service exploitation of the SMB server credit management race by implementing controls to identify, limit, and report resource exhaustion attacks.
Ensures availability of critical system resources such as receive buffers against depletion caused by the race condition granting non-existent SMB credits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Race condition in exposed SMBDirect/SMB server component allows unauthenticated remote exploitation to trigger DoS via malformed credit handling, directly enabling T1499.004 (Application or System Exploitation) for endpoint availability impact.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: smb: server: make use of smbdirect_socket.recv_io.credits.available The logic off managing recv credits by counting posted recv_io and granted credits is racy. That's because the peer might already consumed a credit,…
more
but between receiving the incoming recv at the hardware and processing the completion in the 'recv_done' functions we likely have a window where we grant credits, which don't really exist. So we better have a decicated counter for the available credits, which will be incremented when we posted new recv buffers and drained when we grant the credits to the peer. This fixes regression Namjae reported with the 6.18 release.
Deeper analysisAI
CVE-2026-31538 is a race condition vulnerability in the Linux kernel's SMB server component, specifically within the smbdirect_socket handling of recv_io credits. The flawed logic counts posted recv_io operations and granted credits, creating a race where a peer may consume a credit before the hardware processes the incoming recv and the recv_done function completes. This window allows the kernel to grant credits that do not actually exist, as reported in a regression introduced in the 6.18 kernel release.
A remote network attacker with no privileges or user interaction required can exploit this vulnerability due to its low attack complexity and unchanged scope. Successful exploitation leads to high-impact denial of service, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), potentially disrupting SMB server availability through improper credit management.
Mitigation involves applying the upstream kernel patches from the referenced stable commits: 26ad87a2cfb8c1384620d1693a166ed87303046e, 66c082e3d4651e8629a393a9e182b01eb50fb0a3, and 809cbd31aa4f87a1b889532244c9cf30eb022385. These commits introduce a dedicated counter for available credits, incremented when posting new recv buffers and decremented when granting credits to peers, resolving the race condition.
Details
- CWE(s)