Cyber Resilience

CVE-2026-31538

High

Published: 24 April 2026

Published
24 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0005 17.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31538 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2026-31538 is a race condition vulnerability in the Linux kernel's SMB server component, specifically within the smbdirect_socket handling of recv_io credits. The flawed logic counts posted recv_io operations and granted credits, creating a race where a peer may consume a credit before the hardware processes the incoming recv and the recv_done function completes. This window allows the kernel to grant credits that do not actually exist, as reported in a regression introduced in the 6.18 kernel release.

A remote network attacker with no privileges or user interaction required can exploit this vulnerability due to its low attack complexity and unchanged scope. Successful exploitation leads to high-impact denial of service, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), potentially disrupting SMB server availability through improper credit management.

Mitigation involves applying the upstream kernel patches from the referenced stable commits: 26ad87a2cfb8c1384620d1693a166ed87303046e, 66c082e3d4651e8629a393a9e182b01eb50fb0a3, and 809cbd31aa4f87a1b889532244c9cf30eb022385. These commits introduce a dedicated counter for available credits, incremented when posting new recv buffers and decremented when granting credits to peers, resolving the race condition.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: smb: server: make use of smbdirect_socket.recv_io.credits.available The logic off managing recv credits by counting posted recv_io and granted credits is racy. That's because the peer might already consumed a credit,…

more

but between receiving the incoming recv at the hardware and processing the completion in the 'recv_done' functions we likely have a window where we grant credits, which don't really exist. So we better have a decicated counter for the available credits, which will be incremented when we posted new recv buffers and drained when we grant the credits to the peer. This fixes regression Namjae reported with the 6.18 release.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Race condition in exposed SMBDirect/SMB server component allows unauthenticated remote exploitation to trigger DoS via malformed credit handling, directly enabling T1499.004 (Application or System Exploitation) for endpoint availability impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23388Same product: Linux Linux Kernel
CVE-2026-23242Same product: Linux Linux Kernel
CVE-2026-22991Same product: Linux Linux Kernel
CVE-2025-21717Same product: Linux Linux Kernel
CVE-2026-23459Same product: Linux Linux Kernel
CVE-2026-31640Same product: Linux Linux Kernel
CVE-2026-31739Same product: Linux Linux Kernel
CVE-2024-56772Same product: Linux Linux Kernel
CVE-2026-23095Same product: Linux Linux Kernel
CVE-2026-31417Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.18 — 6.18.11 · 6.19 — 6.19.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific race condition vulnerability through application of the upstream Linux kernel patches that introduce a dedicated counter for available SMB recv credits.

preventdetect

Protects against denial-of-service exploitation of the SMB server credit management race by implementing controls to identify, limit, and report resource exhaustion attacks.

prevent

Ensures availability of critical system resources such as receive buffers against depletion caused by the race condition granting non-existent SMB credits.

References