Cyber Resilience

CVE-2026-31608

Critical

Published: 24 April 2026

Published
24 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0046 36.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-31608 is a critical-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-31608 is a double-free vulnerability (CWE-415) in the Linux kernel's SMB server component. The issue occurs because smb_direct_flush_send_list() already invokes smb_direct_free_sendmsg(), but the code erroneously calls it again after moving post_sendmsg() to the batch list, leading to a double-free condition. This affects Linux kernel versions prior to the application of the relevant stable patches.

A remote attacker with network access can exploit this vulnerability without privileges or user interaction, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, potentially enabling memory corruption, arbitrary code execution, or system crashes on affected SMB servers.

Mitigation is available through upstream Linux kernel patches in stable branches, as documented in the following commit references: https://git.kernel.org/stable/c/2ba03f46132b0d1a7bafb86e1ef61951a2254023, https://git.kernel.org/stable/c/6968c91fab05b8fc4d6700e0cf34472bb422df25, https://git.kernel.org/stable/c/830de6eeb9db4cb7e758201fb99328ef4ca4b032, and https://git.kernel.org/stable/c/84ff995ae826aa6bbcc6c7b9ea569ff67c021d72. Security practitioners should update to kernels incorporating these fixes and monitor for SMB server exposure on public networks.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list() smb_direct_flush_send_list() already calls smb_direct_free_sendmsg(), so we should not call it again after post_sendmsg() moved it to the batch list.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Double-free in Linux kernel SMB server (ksmbd) is remotely exploitable over the network with no auth, directly enabling RCE via public-facing application exploitation (T1190) or remote service exploitation for initial access/lateral movement (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31609Same product: Linux Linux Kernel
CVE-2026-43011Same product: Linux Linux Kernel
CVE-2026-23098Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2022-49410Same product: Linux Linux Kernel
CVE-2026-31471Same product: Linux Linux Kernel
CVE-2026-31536Same product: Linux Linux Kernel
CVE-2025-71238Same product: Linux Linux Kernel
CVE-2022-49455Same product: Linux Linux Kernel
CVE-2026-23450Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
≤ 6.18.24 · 6.19 — 6.19.14 · 7.0 — 7.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely installation of Linux kernel patches that fix the double-free in smb_direct_free_sendmsg(), directly preventing exploitation of CVE-2026-31608.

detect

Vulnerability scanning identifies Linux systems running kernel versions affected by the SMB server double-free vulnerability, enabling remediation.

prevent

Memory protection controls such as ASLR and DEP mitigate potential exploitation of the double-free for arbitrary code execution or corruption.

References