Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-31718— ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger

CVSS 9.8 · Critical EPSS 0.06% · P18

Affected Version Matrix 11

VendorProductVersion RangeStatus
LinuxLinuxc8efcc786146a951091588e5fa7e3c754850cb3c< e33c65f011980b4ad4abfd93585ec2079856368faffected
c8efcc786146a951091588e5fa7e3c754850cb3c< 3d6682726c2d3a46d31dae88b8166786b09b03adaffected
c8efcc786146a951091588e5fa7e3c754850cb3c< b34fc42cfe922e551f7a27d3ac3bb016e41d7dd9affected
c8efcc786146a951091588e5fa7e3c754850cb3c< 235e32320a470fcd3998fb3774f2290a0eb302a1affected
8df4bcdb0a4232192b2445256c39b787d58ef14daffected
6.9affected
< 6.9unaffected
6.12.84≤ 6.12.*unaffected
… +3 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-31718

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger When a durable file handle survives session disconnect (TCP close without SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the handle for later reconnection. However, it did not clean up the byte-range locks on fp->lock_list. Later, when the durable scavenger thread times out and calls __ksmbd_close_fd(NULL, fp), the lock cleanup loop did: spin_lock(&fp->conn->llist_lock); This caused a slab use-after-free because fp->conn was NULL and the original connection object had already been freed by ksmbd_tcp_disconnect(). The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were left dangling on the freed conn->lock_list while fp->conn was nulled out. To fix this issue properly, we need to handle the lifetime of smb_lock->clist across three paths: - Safely skip clist deletion when list is empty and fp->conn is NULL. - Remove the lock from the old connection's lock_list in session_fd_check() - Re-add the lock to the new connection's lock_list in ksmbd_reopen_durable_fd().
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于ksmbd的持久清理器在__ksmbd_close_fd()中存在释放后重用,可能导致空指针取消引用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux c8efcc786146a951091588e5fa7e3c754850cb3c ~ e33c65f011980b4ad4abfd93585ec2079856368f -
LinuxLinux 6.9 -

II. Public POCs for CVE-2026-31718

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-31718

登录查看更多情报信息。

Same Patch Batch · Linux · 2026-05-01 · 146 CVEs total

CVE-2026-430379.8 CRITICALip6_tunnel: clear skb2->cb[] in ip4ip6_err()
CVE-2026-430389.8 CRITICALipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
CVE-2026-430399.8 CRITICALnet: ti: icssg-prueth: fix missing data copy and wrong recycle in ZC RX dispatch
CVE-2026-430119.8 CRITICALnet/x25: Fix potential double free of skb
CVE-2026-317059.8 CRITICALksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
CVE-2026-430488.8 HIGHHID: core: Mitigate potential OOB by removing bogus memset()
CVE-2026-317398.8 HIGHcrypto: tegra - Add missing CRYPTO_ALG_ASYNC
CVE-2026-317358.8 HIGHiommupt: Fix short gather if the unmap goes into a large mapping
CVE-2026-317738.8 HIGHBluetooth: SMP: derive legacy responder STK authentication from MITM state
CVE-2026-317178.8 HIGHksmbd: validate owner of durable handle on reconnect
CVE-2026-430188.8 HIGHBluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt
CVE-2026-317098.8 HIGHsmb: client: validate the whole DACL before rewriting it in cifsacl
CVE-2026-317068.8 HIGHksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()
CVE-2026-317128.3 HIGHksmbd: require minimum ACE size in smb_check_perm_dacl()
CVE-2026-317798.1 HIGHwifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()
CVE-2026-317718.1 HIGHBluetooth: hci_event: move wake reason storage into validated event handlers
CVE-2026-430518.1 HIGHHID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
CVE-2026-317088.1 HIGHsmb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
CVE-2026-430197.8 HIGHBluetooth: hci_conn: fix potential UAF in set_cig_params_sync
CVE-2026-317727.8 HIGHBluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync

Showing top 20 of 146 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-31718

No comments yet

Leave a comment