CVE-2026-31718
EUVD-2026-2652701.05.2026, 14:16
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger
When a durable file handle survives session disconnect (TCP close without
SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the
handle for later reconnection. However, it did not clean up the byte-range
locks on fp->lock_list.
Later, when the durable scavenger thread times out and calls
__ksmbd_close_fd(NULL, fp), the lock cleanup loop did:
spin_lock(&fp->conn->llist_lock);
This caused a slab use-after-free because fp->conn was NULL and the
original connection object had already been freed by
ksmbd_tcp_disconnect().
The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were
left dangling on the freed conn->lock_list while fp->conn was nulled out.
To fix this issue properly, we need to handle the lifetime of
smb_lock->clist across three paths:
- Safely skip clist deletion when list is empty and fp->conn is NULL.
- Remove the lock from the old connection's lock_list in
session_fd_check()
- Re-add the lock to the new connection's lock_list in
ksmbd_reopen_durable_fd().EnginsightAffected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 6.6.32 ≤ 𝑥 < 6.7 |
| linux | linux_kernel | 6.9 ≤ 𝑥 < 6.12.84 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.18.25 |
| linux | linux_kernel | 6.19 ≤ 𝑥 < 7.0.2 |
| linux | linux_kernel | 7.1:rc1 |
𝑥
= Vulnerable software versions
Debian Releases
Common Weakness Enumeration
Vulnerability Media Exposure
References