CVE-2026-31476 Linux CVE debrief

Who should care

Organizations running Linux systems with ksmbd enabled and exposed to untrusted networks, particularly those relying on SMB multichannel for performance. The unauthenticated remote attack vector and high availability impact make this a priority patch for file server deployments.

Technical summary

The ksmbd kernel SMB server mishandles failed multichannel session binding requests. When a binding attempt fails (e.g., wrong password), the error path sets sess->state = SMB2_SESSION_EXPIRED on the target session looked up via ksmbd_session_lookup_slowpath(). Because this session belongs to another connection's user, a remote unauthenticated attacker can force-expire any active session. The fix distinguishes binding failures from initial session setup failures and skips the expiration step for binding attempts, while still properly releasing the session reference via ksmbd_user_session_put().

Defensive priority

high

Recommended defensive actions

• Apply the appropriate stable kernel patch for your branch: 5.15.168+, 6.6.131+, 6.12.80+, 6.18.21+, or 6.19.11+.
• If patching is not immediately feasible, consider restricting or disabling SMB multichannel until updates can be applied.
• Monitor ksmbd session logs for unexpected SMB2_SESSION_EXPIRED events that may indicate exploitation attempts.
• Validate that session binding requests are properly authenticated and logged in network-accessible ksmbd deployments.

Evidence notes

The vulnerability description and patch references are drawn from the official CVE record and NVD data. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H yields a score of 8.2 (HIGH). Multiple stable kernel patches are available across affected branches.

Official resources