CVE-2026-31608
Published: 24 April 2026
Summary
CVE-2026-31608 is a critical-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely installation of Linux kernel patches that fix the double-free in smb_direct_free_sendmsg(), directly preventing exploitation of CVE-2026-31608.
Vulnerability scanning identifies Linux systems running kernel versions affected by the SMB server double-free vulnerability, enabling remediation.
Memory protection controls such as ASLR and DEP mitigate potential exploitation of the double-free for arbitrary code execution or corruption.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Double-free in Linux kernel SMB server (ksmbd) is remotely exploitable over the network with no auth, directly enabling RCE via public-facing application exploitation (T1190) or remote service exploitation for initial access/lateral movement (T1210).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list() smb_direct_flush_send_list() already calls smb_direct_free_sendmsg(), so we should not call it again after post_sendmsg() moved it to the batch list.
Deeper analysisAI
CVE-2026-31608 is a double-free vulnerability (CWE-415) in the Linux kernel's SMB server component. The issue occurs because smb_direct_flush_send_list() already invokes smb_direct_free_sendmsg(), but the code erroneously calls it again after moving post_sendmsg() to the batch list, leading to a double-free condition. This affects Linux kernel versions prior to the application of the relevant stable patches.
A remote attacker with network access can exploit this vulnerability without privileges or user interaction, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, potentially enabling memory corruption, arbitrary code execution, or system crashes on affected SMB servers.
Mitigation is available through upstream Linux kernel patches in stable branches, as documented in the following commit references: https://git.kernel.org/stable/c/2ba03f46132b0d1a7bafb86e1ef61951a2254023, https://git.kernel.org/stable/c/6968c91fab05b8fc4d6700e0cf34472bb422df25, https://git.kernel.org/stable/c/830de6eeb9db4cb7e758201fb99328ef4ca4b032, and https://git.kernel.org/stable/c/84ff995ae826aa6bbcc6c7b9ea569ff67c021d72. Security practitioners should update to kernels incorporating these fixes and monitor for SMB server exposure on public networks.
Details
- CWE(s)