CVE-2026-31718

Published: May 1, 2026

Modified: May 23, 2026

PUBLISHED

CVSS v3.1

9.8

CRITICAL

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger When a durable file handle survives session disconnect (TCP close without SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the handle for later reconnection. However, it did not clean up the byte-range locks on fp->lock_list. Later, when the durable scavenger thread times out and calls __ksmbd_close_fd(NULL, fp), the lock cleanup loop did: spin_lock(&fp->conn->llist_lock); This caused a slab use-after-free because fp->conn was NULL and the original connection object had already been freed by ksmbd_tcp_disconnect(). The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were left dangling on the freed conn->lock_list while fp->conn was nulled out. To fix this issue properly, we need to handle the lifetime of smb_lock->clist across three paths: - Safely skip clist deletion when list is empty and fp->conn is NULL. - Remove the lock from the old connection's lock_list in session_fd_check() - Re-add the lock to the new connection's lock_list in ksmbd_reopen_durable_fd().

Vendor	Product	Versions
Linux	Linux	affected `8df4bcdb0a4232192b2445256c39b787d58ef14d - < 0000a7780e0e446a28a273572f6ea8f7f582f694` affected `c8efcc786146a951091588e5fa7e3c754850cb3c - < e33c65f011980b4ad4abfd93585ec2079856368f` affected `c8efcc786146a951091588e5fa7e3c754850cb3c - < 3d6682726c2d3a46d31dae88b8166786b09b03ad` affected `c8efcc786146a951091588e5fa7e3c754850cb3c - < b34fc42cfe922e551f7a27d3ac3bb016e41d7dd9` affected `c8efcc786146a951091588e5fa7e3c754850cb3c - < 235e32320a470fcd3998fb3774f2290a0eb302a1` +1 more versions
Linux	Linux	affected `6.9` unaffected `0 - < 6.9` unaffected `6.6.140 - <= 6.6.` unaffected `6.12.84 - <= 6.12.` unaffected `6.18.25 - <= 6.18.*` +2 more versions