CVE-2026-31609
Published: 24 April 2026
Summary
CVE-2026-31609 is a critical-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the double-free vulnerability in the Linux kernel SMB client by requiring timely identification, testing, and installation of vendor patches.
Implements kernel memory protections such as address space layout randomization and guard pages that mitigate exploitation of double-free memory corruption.
Restricts kernel functionality by disabling the SMB client when unnecessary, thereby removing the attack surface exposed by this vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Double-free memory corruption in kernel SMB implementation (despite 'client' wording, functions/attack vector indicate server) directly enables remote unauthenticated RCE via crafted network SMB traffic, mapping to public-facing app exploitation (T1190), remote service exploitation (T1210), and client-side execution if connection initiated outbound (T1203).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: avoid double-free in smbd_free_send_io() after smbd_send_batch_flush() smbd_send_batch_flush() already calls smbd_free_send_io(), so we should not call it again after smbd_post_send() moved it to the batch list.
Deeper analysisAI
CVE-2026-31609 is a double-free vulnerability (CWE-415) in the Linux kernel's SMB client implementation. The issue arises because smbd_send_batch_flush() already invokes smbd_free_send_io(), but the function is called again after smbd_post_send() relocates the structure to the batch list, potentially leading to memory corruption. It affects Linux kernel versions prior to the application of the relevant stable patches and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remote attackers with network access can exploit this vulnerability without authentication, privileges, or user interaction due to its low attack complexity and unchanged scope. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution, denial of service, or data tampering via crafted SMB traffic to a vulnerable kernel's SMB client.
Mitigation involves updating to Linux kernel versions incorporating the upstream fixes, as detailed in the following stable branch commit references: https://git.kernel.org/stable/c/22b7c1c619d808aec4cad3dc42103345e370d107, https://git.kernel.org/stable/c/27b7c3e916218b5eb2ee350211140e961bfc49be, https://git.kernel.org/stable/c/a9940dcbe5cb92482c04efc7341039ddf7dbf607, and https://git.kernel.org/stable/c/f9a162c2bbcd0ac85bd07c5b37cf20286048b65c.
Details
- CWE(s)