CVE-2026-31539
Published: 24 April 2026
Summary
CVE-2026-31539 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of flaws like this SMB Direct kernel race condition through patching.
Implements protections against denial-of-service attacks, mitigating the availability impact from credit mismanagement exploitation.
Enforces least functionality to prohibit or restrict nonessential SMB Direct capabilities, eliminating exposure to the race condition.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Race condition in SMB Direct service allows remote unauthenticated exploitation causing high-impact DoS via credit mismanagement, directly enabling Application or System Exploitation for Endpoint Denial of Service.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: smb: smbdirect: introduce smbdirect_socket.recv_io.credits.available The logic off managing recv credits by counting posted recv_io and granted credits is racy. That's because the peer might already consumed a credit, but between…
more
receiving the incoming recv at the hardware and processing the completion in the 'recv_done' functions we likely have a window where we grant credits, which don't really exist. So we better have a decicated counter for the available credits, which will be incremented when we posted new recv buffers and drained when we grant the credits to the peer.
Deeper analysisAI
CVE-2026-31539 is a race condition vulnerability in the Linux kernel's SMB Direct (smbdirect) implementation within the smb module. The issue arises from flawed logic in managing receive credits, where credits are tracked by counting posted recv_io operations and granted credits. This creates a race window: a peer may consume a credit before the hardware processes an incoming receive and the recv_done function handles the completion, leading to the erroneous granting of non-existent credits.
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Successful exploitation results in high-impact denial of service, potentially by mismanaging credit allocation and disrupting SMB Direct communications.
Mitigation involves applying the relevant Linux kernel patches, as detailed in the upstream stable commits: 6e3c5052f9686192e178806e017b7377155f4bab, e811e60e1cc79923c4388146eb1fa26a7482731e, and f99996870222b598914a1f49d7375dc23752c237. These introduce a dedicated counter for available credits in smbdirect_socket.recv_io, which increments when new receive buffers are posted and decrements when credits are granted to the peer, resolving the race condition.
Details
- CWE(s)