CVE-2026-31717
Published: 01 May 2026
Summary
CVE-2026-31717 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-11 (Re-authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations by verifying the reconnecting user's SecurityContext matches the original durable handle owner's UID, GID, and account name, preventing hijacking.
Requires validation of the SecurityContext and persistent ID in SMB2 durable handle reconnect requests to ensure only the original opener can access the handle.
Mandates re-authentication of user identity upon durable handle reconnect to confirm matching SecurityContext per MS-SMB2 specifications.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of ksmbd SMB service (authenticated low-priv user) to hijack durable handles for unauthorized file access, directly mapping to exploitation for privilege escalation and remote service exploitation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate owner of durable handle on reconnect Currently, ksmbd does not verify if the user attempting to reconnect to a durable handle is the same user who originally opened…
more
the file. This allows any authenticated user to hijack an orphaned durable handle by predicting or brute-forcing the persistent ID. According to MS-SMB2, the server MUST verify that the SecurityContext of the reconnect request matches the SecurityContext associated with the existing open. Add a durable_owner structure to ksmbd_file to store the original opener's UID, GID, and account name. and catpure the owner information when a file handle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner() to validate the identity of the requester during SMB2_CREATE (DHnC).
Deeper analysisAI
CVE-2026-31717 is a vulnerability in the Linux kernel's ksmbd component, the in-kernel Samba server implementation for SMB2/3 protocol support. The issue arises because ksmbd fails to verify whether the user attempting to reconnect to a durable file handle is the same as the original opener. This violates MS-SMB2 specifications, which require the server to match the SecurityContext of the reconnect request against the existing open's context. As a result, orphaned durable handles can be hijacked by predicting or brute-forcing the persistent ID.
An attacker with low privileges, such as any authenticated user on the network, can exploit this remotely with low complexity and no user interaction required. Successful exploitation allows hijacking of the durable handle, granting high-impact unauthorized access to confidentiality, integrity, and availability (CVSS 8.8: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). This enables the attacker to impersonate the original file opener and perform operations on the file as if they were the legitimate owner.
The provided patch references from kernel.org detail the mitigation, which introduces a durable_owner structure in ksmbd_file to store the original opener's UID, GID, and account name. Owner information is captured when a file handle becomes orphaned, and a new function, ksmbd_vfs_compare_durable_owner(), validates the requester's identity during SMB2_CREATE with durable handle reconnect (DHnC), ensuring SecurityContext matching per MS-SMB2.
Details
- CWE(s)