Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-31444

CVE-2026-31444: Linux Kernel Use-After-Free Vulnerability

CVE-2026-31444 is a use-after-free vulnerability in the Linux kernel's ksmbd component that can lead to NULL pointer dereference. This article covers the technical details, affected versions, impact, and mitigation strategies.

Published: April 23, 2026

CVE-2026-31444 Overview

CVE-2026-31444 is a vulnerability in the Linux kernel's ksmbd (kernel SMB server) component that exposes systems to use-after-free and NULL pointer dereference conditions in the smb_grant_oplock() function. The vulnerability exists within the oplock (opportunistic lock) publication sequence, where improper ordering of operations creates race conditions that can be exploited by concurrent SMB operations.

The ksmbd module implements an in-kernel SMB3 server designed for high-performance file sharing. This vulnerability affects systems where ksmbd is enabled and actively serving SMB clients, potentially allowing attackers to crash the kernel or escalate privileges through memory corruption.

Critical Impact

Exploitation of this use-after-free and NULL pointer dereference vulnerability in the kernel can lead to system crashes (denial of service) or potentially arbitrary code execution with kernel privileges.

Affected Products

  • Linux kernel with ksmbd module enabled
  • Systems running SMB3 file sharing services via ksmbd
  • Linux distributions shipping vulnerable kernel versions

Discovery Timeline

  • April 22, 2026 - CVE-2026-31444 published to NVD
  • April 23, 2026 - Last updated in NVD database

Technical Details for CVE-2026-31444

Vulnerability Analysis

The vulnerability resides in the smb_grant_oplock() function within the ksmbd subsystem, which handles opportunistic lock grants for SMB file operations. Two distinct issues were identified in the oplock publication sequence that create exploitable race conditions.

The first issue occurs when opinfo is linked into ci->m_op_list via opinfo_add() before add_lease_global_list() is called. If add_lease_global_list() subsequently fails due to a memory allocation failure (when kmalloc returns NULL), the error handling path frees the opinfo structure using __free_opinfo() while it remains linked in ci->m_op_list. This creates a use-after-free condition where concurrent readers of m_op_list (such as opinfo_get_list or iterations in smb_break_all_levII_oplock) can dereference the already-freed memory node.

The second issue involves a NULL pointer dereference condition. The opinfo->o_fp field is assigned after add_lease_global_list() publishes the opinfo on the global lease list. During this window, a concurrent find_same_lease_key() operation can traverse the lease list and attempt to dereference opinfo->o_fp->f_ci while o_fp is still NULL.

Root Cause

The root cause is improper sequencing of operations during oplock publication. The code published partially initialized data structures to shared lists before completing all necessary initialization steps, and the error handling path used immediate freeing (__free_opinfo()) instead of RCU-deferred freeing, creating conditions where concurrent accessors could encounter invalid memory states.

Attack Vector

An attacker with network access to a vulnerable ksmbd server could potentially trigger these race conditions through carefully timed SMB requests. The attack requires the ability to send concurrent SMB operations that exercise the oplock granting and lease lookup code paths simultaneously. While the vulnerability may be challenging to exploit reliably due to its race condition nature, successful exploitation could result in kernel memory corruption leading to denial of service or privilege escalation.

The fix restructures the publication sequence by setting opinfo->o_fp before any list publication, preallocating the lease_table before opinfo_add() so that subsequent operations cannot fail, and using opinfo_put() instead of __free_opinfo() on error paths to ensure proper RCU-deferred freeing.

Detection Methods for CVE-2026-31444

Indicators of Compromise

  • Kernel crashes or panics with stack traces referencing smb_grant_oplock(), opinfo_get_list(), or find_same_lease_key() functions
  • System instability when handling concurrent SMB connections through ksmbd
  • Kernel oops messages indicating NULL pointer dereference in ksmbd-related functions
  • Unexpected system reboots on servers running ksmbd with high SMB client load

Detection Strategies

  • Monitor kernel logs (dmesg) for ksmbd-related crashes, NULL pointer dereferences, or memory corruption warnings
  • Implement kernel live patching detection to verify whether vulnerable code paths are present
  • Use kernel module version checking to identify systems running vulnerable ksmbd implementations
  • Deploy eBPF-based monitoring to detect anomalous behavior in ksmbd oplock handling functions

Monitoring Recommendations

  • Enable kernel crash dump collection (kdump) to capture detailed crash information for analysis
  • Configure system monitoring to alert on unexpected kernel oops or panic events
  • Track SMB server performance metrics for anomalies that could indicate exploitation attempts
  • Implement network monitoring to detect unusual patterns of SMB connection attempts

How to Mitigate CVE-2026-31444

Immediate Actions Required

  • Apply the latest kernel security patches from your Linux distribution
  • If ksmbd is not required, disable the module using modprobe -r ksmbd and blacklist it
  • Consider temporarily using Samba userspace implementation instead of ksmbd until patched
  • Restrict network access to SMB services to trusted clients only

Patch Information

The Linux kernel maintainers have released patches to address this vulnerability. The fix restructures the oplock publication sequence to eliminate post-publish failures by preallocating necessary resources, ensuring proper initialization order, and using RCU-deferred freeing on error paths.

Official kernel patches are available:

  • Kernel Patch 48623ec
  • Kernel Patch 6d7e5a9
  • Kernel Patch 7de55bb
  • Kernel Patch 9e785f0
  • Kernel Patch a5c6f6d

Workarounds

  • Disable ksmbd module if in-kernel SMB server functionality is not required: echo "blacklist ksmbd" >> /etc/modprobe.d/blacklist.conf
  • Migrate to Samba userspace implementation as an alternative SMB server solution
  • Implement network segmentation to limit exposure of SMB services to untrusted networks
  • Use firewall rules to restrict access to SMB ports (TCP 445, 139) from untrusted sources
bash
# Disable ksmbd module and prevent automatic loading
sudo modprobe -r ksmbd
echo "blacklist ksmbd" | sudo tee /etc/modprobe.d/ksmbd-blacklist.conf
sudo update-initramfs -u

# Alternatively, restrict SMB access via firewall
sudo iptables -A INPUT -p tcp --dport 445 -s trusted_network/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 445 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeUse After Free
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.02%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Patch 48623ec
  • Kernel Patch 6d7e5a9
  • Kernel Patch 7de55bb
  • Kernel Patch 9e785f0
  • Kernel Patch a5c6f6d
  • Related CVEs
  • CVE-2026-31475: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-31469: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-31457: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-31473: Linux Kernel Use-After-Free Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English