CVE-2026-31718

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A use-after-free issue exists in the ksmbd module of the Linux kernel. When a durable file handle persists after a session disconnect (TCP close without SMB2 LOGOFF), the session fd check() function sets fp->conn to NULL but fails to clean up byte-range locks on fp->lock list. Subsequently, when the durable scavenger thread times out and invokes the ksmbd close fd() function, it attempts to acquire a spin lock using fp->conn->llist lock. Since fp->conn is NULL and the original connection object was already freed by ksmbd tcp disconnect(), a slab use-after-free occurs. This is caused by asymmetric cleanup where lock entries (smb lock->clist) remain dangling on the freed conn->lock list while fp->conn is nulled.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.