CVE-2026-31711
Published: 01 May 2026
Summary
CVE-2026-31711 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of the resource leak in ksmbd_tcp_new_connection() that allows exhaustion of the active_num_conn pool.
Implements denial-of-service protections to limit effects of attacks exhausting connection slots via repeated alloc_transport() failures on port 445.
Protects availability of critical resources like the max_connections pool from permanent depletion due to leaked counters on allocation failures.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated DoS via resource exhaustion in public-facing ksmbd SMB service (port 445) directly matches exploitation of public-facing application for availability impact and application/system exploitation sub-technique.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: smb: server: fix active_num_conn leak on transport allocation failure Commit 77ffbcac4e56 ("smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()") addressed the kthread_run() failure path. The earlier alloc_transport() == NULL path…
more
in the same function has the same leak, is reachable pre-authentication via any TCP connect to port 445, and was empirically reproduced on UML (ARCH=um, v7.0-rc7): a small number of forced allocation failures were sufficient to put ksmbd into a state where every subsequent connection attempt was rejected for the remainder of the boot. ksmbd_kthread_fn() increments active_num_conn before calling ksmbd_tcp_new_connection() and discards the return value, so when alloc_transport() returns NULL the socket is released and -ENOMEM returned without decrementing the counter. Each such failure permanently consumes one slot from the max_connections pool; once cumulative failures reach the cap, atomic_inc_return() hits the threshold on every subsequent accept and every new connection is rejected. The counter is only reset by module reload. An unauthenticated remote attacker can drive the server toward the memory pressure that makes alloc_transport() fail by holding open connections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN (0x00FFFFFF); natural transient allocation failures on a loaded host produce the same drift more slowly. Mirror the existing rollback pattern in ksmbd_kthread_fn(): on the alloc_transport() failure path, decrement active_num_conn gated on server_conf.max_connections. Repro details: with the patch reverted, forced alloc_transport() NULL returns leaked counter slots and subsequent connection attempts -- including legitimate connects issued after the forced-fail window had closed -- were all rejected with "Limit the maximum number of connections". With this patch applied, the same connect sequence produces no rejections and the counter cycles cleanly between zero and one on every accept.
Deeper analysisAI
CVE-2026-31711 is a denial-of-service vulnerability in the Linux kernel's ksmbd SMB server component. It stems from a resource leak in the ksmbd_tcp_new_connection() function, where the active_num_conn counter is incremented before transport allocation but not decremented if alloc_transport() fails and returns NULL. This issue, reachable pre-authentication via any TCP connection to port 445, was empirically reproduced on UML (User Mode Linux) with kernel v7.0-rc7, leading to permanent consumption of connection slots from the max_connections pool.
An unauthenticated remote attacker can exploit this by inducing memory pressure to trigger alloc_transport() failures, such as by holding open connections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN (0x00FFFFFF). Natural transient allocation failures on loaded hosts can also contribute over time. Once cumulative failures exhaust the pool, atomic_inc_return() rejects all subsequent connections with a "Limit the maximum number of connections" error, rendering the server unavailable until the ksmbd module is reloaded. The CVSS v3.1 score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The fixing patches, available in Linux kernel stable repositories (commits 283027aa9338, 295a9fc6789d, 6551300dc452, 97f8d2648ef4, fb48185bcd94), mirror the existing rollback pattern in ksmbd_kthread_fn() by decrementing active_num_conn on the alloc_transport() failure path, gated on server_conf.max_connections. Reproduction tests with the prior patch reverted confirmed connection rejections post-failure, while the new patches ensure the counter cycles cleanly without leaks.
Details
- CWE(s)