Cyber Posture

CVE-2026-31718

Critical

Published: 01 May 2026

Published
01 May 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 17.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31718 is a critical-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates timely identification, reporting, and correction of flaws like the ksmbd use-after-free vulnerability through application of available kernel patches.

CM-7 Least Functionality good match
prevent

Minimizes attack surface by restricting the kernel to essential capabilities, such as disabling the unnecessary ksmbd SMB server module.

SI-16 Memory Protection partial match
prevent

Provides memory safeguards like kernel address randomization and execution protections that hinder exploitation of the dangling lock use-after-free.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The CVE describes a remotely exploitable use-after-free in the public-facing ksmbd SMB service (kernel module) allowing unauthenticated network attackers to achieve RCE or DoS; this directly maps to T1190 as the initial access vector via exploitation of an exposed network service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger When a durable file handle survives session disconnect (TCP close without SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the handle for…

more

later reconnection. However, it did not clean up the byte-range locks on fp->lock_list. Later, when the durable scavenger thread times out and calls __ksmbd_close_fd(NULL, fp), the lock cleanup loop did: spin_lock(&fp->conn->llist_lock); This caused a slab use-after-free because fp->conn was NULL and the original connection object had already been freed by ksmbd_tcp_disconnect(). The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were left dangling on the freed conn->lock_list while fp->conn was nulled out. To fix this issue properly, we need to handle the lifetime of smb_lock->clist across three paths: - Safely skip clist deletion when list is empty and fp->conn is NULL. - Remove the lock from the old connection's lock_list in session_fd_check() - Re-add the lock to the new connection's lock_list in ksmbd_reopen_durable_fd().

Deeper analysisAI

CVE-2026-31718 is a use-after-free vulnerability in the Linux kernel's ksmbd module, the in-kernel Samba server implementation. The flaw occurs in the __ksmbd_close_fd() function during cleanup by the durable scavenger thread. When a durable file handle persists after a session disconnect (TCP close without SMB2_LOGOFF), session_fd_check() sets fp->conn to NULL to preserve the handle for reconnection but fails to clean up byte-range locks on fp->lock_list. This leaves lock entries dangling on the freed connection's lock_list, leading to a slab use-after-free when the scavenger thread executes spin_lock(&fp->conn->llist_lock) on the NULL pointer to already-freed memory.

An unauthenticated attacker with network access to a system running the vulnerable ksmbd service can exploit this remotely with low complexity and no user interaction. By establishing a session with durable handles, disconnecting without logout, and waiting for the scavenger timeout, the attacker triggers the use-after-free. This can result in high-impact confidentiality, integrity, and availability violations, as scored at CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), potentially enabling code execution, data corruption, or system crashes.

Mitigation patches are available in Linux kernel stable trees via commits such as https://git.kernel.org/stable/c/235e32320a470fcd3998fb3774f2290a0eb302a1, https://git.kernel.org/stable/c/3d6682726c2d3a46d31dae88b8166786b09b03ad, https://git.kernel.org/stable/c/b34fc42cfe922e551f7a27d3ac3bb016e41d7dd9, and https://git.kernel.org/stable/c/e33c65f011980b4ad4abfd93585ec2079856368f. These address the root cause—asymmetric lock cleanup—by safely skipping clist deletion when the list is empty and fp->conn is NULL, removing locks from the old connection's lock_list in session_fd_check(), and re-adding them to the new connection's lock_list in ksmbd_reopen_durable_fd(). Security practitioners should update to patched kernels and consider disabling ksmbd if not required.

Details

CWE(s)
CWE-416

Affected Products

linux
linux kernel
7.1 · 6.6.32 — 6.7 · 6.9 — 6.12.84 · 6.13 — 6.18.25

CVEs Like This One

CVE-2026-23427Same product: Linux Linux Kernel
CVE-2026-31589Same product: Linux Linux Kernel
CVE-2026-31669Same product: Linux Linux Kernel
CVE-2026-31444Same product: Linux Linux Kernel
CVE-2026-31533Same product: Linux Linux Kernel
CVE-2026-31501Same product: Linux Linux Kernel
CVE-2026-23428Same product: Linux Linux Kernel
CVE-2024-57795Same product: Linux Linux Kernel
CVE-2026-43055Same product: Linux Linux Kernel
CVE-2026-31665Same product: Linux Linux Kernel

References