Cyber Resilience

CVE-2026-31717

HighUpdated

Published: 01 May 2026

Published
01 May 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0044 35.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31717 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-11 (Re-authentication).

Deeper analysis

CVE-2026-31717 is a vulnerability in the Linux kernel's ksmbd component, the in-kernel Samba server implementation for SMB2/3 protocol support. The issue arises because ksmbd fails to verify whether the user attempting to reconnect to a durable file handle is the same as the original opener. This violates MS-SMB2 specifications, which require the server to match the SecurityContext of the reconnect request against the existing open's context. As a result, orphaned durable handles can be hijacked by predicting or brute-forcing the persistent ID.

An attacker with low privileges, such as any authenticated user on the network, can exploit this remotely with low complexity and no user interaction required. Successful exploitation allows hijacking of the durable handle, granting high-impact unauthorized access to confidentiality, integrity, and availability (CVSS 8.8: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). This enables the attacker to impersonate the original file opener and perform operations on the file as if they were the legitimate owner.

The provided patch references from kernel.org detail the mitigation, which introduces a durable_owner structure in ksmbd_file to store the original opener's UID, GID, and account name. Owner information is captured when a file handle becomes orphaned, and a new function, ksmbd_vfs_compare_durable_owner(), validates the requester's identity during SMB2_CREATE with durable handle reconnect (DHnC), ensuring SecurityContext matching per MS-SMB2.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate owner of durable handle on reconnect Currently, ksmbd does not verify if the user attempting to reconnect to a durable handle is the same user who originally opened…

more

the file. This allows any authenticated user to hijack an orphaned durable handle by predicting or brute-forcing the persistent ID. According to MS-SMB2, the server MUST verify that the SecurityContext of the reconnect request matches the SecurityContext associated with the existing open. Add a durable_owner structure to ksmbd_file to store the original opener's UID, GID, and account name. and catpure the owner information when a file handle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner() to validate the identity of the requester during SMB2_CREATE (DHnC).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

CVE enables remote exploitation of ksmbd SMB service (authenticated low-priv user) to hijack durable handles for unauthorized file access, directly mapping to exploitation for privilege escalation and remote service exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-43011Same product: Linux Linux Kernel
CVE-2026-23461Same product: Linux Linux Kernel
CVE-2026-23193Same product: Linux Linux Kernel
CVE-2026-31432Same product: Linux Linux Kernel
CVE-2026-31402Same product: Linux Linux Kernel
CVE-2026-23098Same product: Linux Linux Kernel
CVE-2026-31629Same product: Linux Linux Kernel
CVE-2026-31712Same product: Linux Linux Kernel
CVE-2026-31408Same product: Linux Linux Kernel
CVE-2026-31409Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.1 · 6.6.32 — 6.7 · 6.9 — 6.18.25 · 6.19 — 7.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations by verifying the reconnecting user's SecurityContext matches the original durable handle owner's UID, GID, and account name, preventing hijacking.

prevent

Requires validation of the SecurityContext and persistent ID in SMB2 durable handle reconnect requests to ensure only the original opener can access the handle.

prevent

Mandates re-authentication of user identity upon durable handle reconnect to confirm matching SecurityContext per MS-SMB2 specifications.

References