PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31718 Linux CVE debrief

CVE-2026-31718 is a critical Linux kernel vulnerability in ksmbd, the SMB server component. The issue is a use-after-free in durable file handle cleanup: when a durable handle survives disconnect, the file pointer’s connection reference can be cleared while associated lock-list state is left behind. Later cleanup in the durable scavenger can dereference the freed connection object, causing memory corruption. NVD rates the issue 9.8/CRITICAL with network access, no privileges, and no user interaction required.

Vendor
Linux
Product
Unknown
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-01
Original CVE updated
2026-05-17
Advisory published
2026-05-01
Advisory updated
2026-05-17

Who should care

Linux kernel maintainers, distribution security teams, appliance vendors, and administrators running ksmbd-enabled SMB services should treat this as urgent. Systems that expose SMB services or rely on durable file handles are the primary concern, especially if they track affected kernel ranges from NVD.

Technical summary

According to the supplied kernel description, session_fd_check() can set fp->conn = NULL after a TCP disconnect without SMB2_LOGOFF to preserve a durable file handle for later reconnection. The lock cleanup path did not properly handle fp->lock_list / smb_lock->clist lifetime across disconnect and reconnect. When the durable scavenger later calls __ksmbd_close_fd(NULL, fp), it may attempt to access fp->conn->llist_lock even though the original connection object was already freed by ksmbd_tcp_disconnect(). The stated fix is to coordinate lock-list ownership across cleanup and reopen paths so entries are removed from the old connection, safely skipped when fp->conn is NULL and the list is empty, and re-added on durable reopen.

Defensive priority

Urgent. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates a remotely reachable kernel memory-safety flaw with potential high impact to confidentiality, integrity, and availability.

Recommended defensive actions

  • Apply the kernel updates referenced by the linked patches and confirm your vendor’s backport status.
  • Prioritize systems running ksmbd or otherwise exposing SMB services over the network.
  • Check whether deployed kernels fall within the affected NVD ranges: 6.6.32 to before 6.7, 6.9 to before 6.12.84, 6.13 to before 6.18.25, 6.19 to before 7.0.2, and 7.1-rc1.
  • If immediate patching is not possible, reduce exposure by restricting SMB network access to trusted clients and disabling ksmbd where it is not required.
  • Monitor distribution advisories for exact fixed package versions, since backporting may differ by vendor.

Evidence notes

This debrief is based only on the supplied NVD record, CVE metadata, and linked official kernel patch references. The source states a ksmbd durable-handle cleanup use-after-free, identifies CWE-416, and provides the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. NVD published the CVE on 2026-05-01 and last modified the record on 2026-05-17. The linked kernel references are official git.kernel.org stable patch URLs; exact remediation status should still be verified per downstream vendor backport.

Official resources

CVE published 2026-05-01 and last modified 2026-05-17. Use these CVE dates for timing context; do not treat PatchSiren generation time as the issue date.