CVE-2026-31718— Linux ksmbd 远程代码执行漏洞
获取后续新漏洞提醒登录后订阅
一、 漏洞 CVE-2026-31718 基础信息
漏洞信息
对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗ 尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger When a durable file handle survives session disconnect (TCP close without SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the handle for later reconnection. However, it did not clean up the byte-range locks on fp->lock_list. Later, when the durable scavenger thread times out and calls __ksmbd_close_fd(NULL, fp), the lock cleanup loop did: spin_lock(&fp->conn->llist_lock); This caused a slab use-after-free because fp->conn was NULL and the original connection object had already been freed by ksmbd_tcp_disconnect(). The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were left dangling on the freed conn->lock_list while fp->conn was nulled out. To fix this issue properly, we need to handle the lifetime of smb_lock->clist across three paths: - Safely skip clist deletion when list is empty and fp->conn is NULL. - Remove the lock from the old connection's lock_list in session_fd_check() - Re-add the lock to the new connection's lock_list in ksmbd_reopen_durable_fd().
来源: 美国国家漏洞数据库 NVD
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
N/A
来源: 美国国家漏洞数据库 NVD
受影响产品
二、漏洞 CVE-2026-31718 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|
AI 生成 POC高级
未找到公开 POC。
登录以生成 AI POC三、漏洞 CVE-2026-31718 的情报信息
Please 登录 to view more intelligence information
同批安全公告 · Linux · 2026-05-01 · 共 146 条
| CVE-2026-43037 | 9.8 CRITICAL | ip6_tunnel 远程代码执行漏洞 |
| CVE-2026-43038 | 9.8 CRITICAL | IPv6 ICMP ip6_err_gen_icmpv6_unreach() 内存越界漏洞 |
| CVE-2026-43039 | 9.8 CRITICAL | TI ICSSG PRUSS 以太网驱动 ZC RX 调度数据拷贝缺失及回收错误漏洞 |
| CVE-2026-43011 | 9.8 CRITICAL | Linux X.25模块 潜在双重释放漏洞 |
| CVE-2026-31705 | 9.8 CRITICAL | ksmbd smb2_get_ea() EA对齐越界写入漏洞 |
| CVE-2026-43048 | 8.8 HIGH | HID核心模块移除虚假memset导致越界访问漏洞 |
| CVE-2026-31739 | 8.8 HIGH | Tegra 驱动缺少 CRYPTO_ALG_ASYNC 标志漏洞 |
| CVE-2026-31735 | 8.8 HIGH | iommupt: 修复映射中短收集漏洞 |
| CVE-2026-31773 | 8.8 HIGH | 蓝牙 SMP 遗留响应者 STK 认证漏洞 |
| CVE-2026-31717 | 8.8 HIGH | ksmbd 持久句柄重连所有者验证漏洞 |
| CVE-2026-43018 | 8.8 HIGH | 蓝牙hci_event:修复hci_le_remote_conn_param_req_evt中的UAF漏洞 |
| CVE-2026-31709 | 8.8 HIGH | SMB客户端cifsacl DACL重写前验证漏洞 |
| CVE-2026-31706 | 8.8 HIGH | ksmbd: smb_inherit_dacl() 访问控制验证与强化漏洞 |
| CVE-2026-31712 | 8.3 HIGH | ksmbd smb_check_perm_dacl权限检查漏洞 |
| CVE-2026-31779 | 8.1 HIGH | iwlwifi iwl_mvm_nd_match_info_handler 越界读取漏洞 |
| CVE-2026-31771 | 8.1 HIGH | 蓝牙 hci_event 唤醒原因存储漏洞 |
| CVE-2026-43051 | 8.1 HIGH | Wacom HID驱动程序越界读取漏洞 |
| CVE-2026-31708 | 8.1 HIGH | smb2_ioctl_query_info 越界读取漏洞 |
| CVE-2026-43019 | 7.8 HIGH | 蓝牙协议栈HCI连接参数同步UAF漏洞 |
| CVE-2026-31772 | 7.8 HIGH | Bluetooth: hci_sync 栈缓冲区溢出漏洞 |
显示前 20 条,共 146 条。 查看全部 → →
IV. Related Vulnerabilities
V. Comments for CVE-2026-31718
暂无评论