CVE-2026-31477: Linux Kernel Use-After-Free Vulnerability

CVE-2026-31477 Overview

CVE-2026-31477 is a vulnerability in the Linux kernel's ksmbd in-kernel SMB3 server. The flaw resides in the smb2_lock() function and includes three distinct error handling defects: two memory leak paths and one NULL pointer dereference [CWE-476]. After list_del() detaches smb_lock from lock_list at the no_check_cl label, several exit paths fail to free the detached object, and the rollback path unconditionally dereferences a pointer that smb_flock_init() may return as NULL on allocation failure. The vulnerability is reachable over the network through SMB2 lock requests handled by ksmbd.

Critical Impact

A remote attacker reaching an exposed ksmbd share can trigger a kernel NULL pointer dereference and trigger kernel memory leaks, leading to denial of service of the affected host.

Affected Products

• Linux kernel 5.15 with ksmbd enabled
• Linux kernel 7.0 release candidates rc1 through rc7
• Distributions shipping ksmbd SMB server based on the affected kernel branches

Discovery Timeline

• 2026-04-22 - CVE-2026-31477 published to NVD
• 2026-04-27 - Last updated in NVD database

Technical Details for CVE-2026-31477

Vulnerability Analysis

The smb2_lock() function in fs/smb/server/smb2pdu.c processes SMB2 LOCK requests. After the no_check_cl label, list_del() detaches an smb_lock element from lock_list. The cleanup handler at the out: label only iterates lock_list and rollback_list, so any detached smb_lock that the function fails to free directly becomes leaked kernel memory along with its associated struct file_lock.

The NULL dereference occurs in the rollback path. When the kernel rolls back partially applied byte-range locks after a failure, it calls smb_flock_init() to allocate a new file_lock and immediately passes the result to vfs_lock_file() and locks_free_lock(). If allocation fails, the result is NULL and the kernel crashes.

Root Cause

The root cause is asymmetric resource management. The function detaches smb_lock from its tracking list without ensuring all subsequent error branches free the object. Two specific cases trigger leaks: an unexpected return from vfs_lock_file() in the non-UNLOCK path, and an -ENOENT return in the UNLOCK path. In the latter, the function also returns a stale error code to the SMB dispatcher. The third case is a missing NULL check on the return value of smb_flock_init() in the rollback loop.

Attack Vector

An unauthenticated or authenticated SMB client can send crafted SMB2 LOCK or UNLOCK requests against a ksmbd share to drive smb2_lock() into the affected error paths. Repeated requests exhaust kernel memory through the leaked smb_lock and file_lock structures. Triggering the rollback path under allocation pressure produces a kernel NULL pointer dereference and a kernel oops, causing the SMB server thread to crash and disrupting file service.

This vulnerability requires no user interaction and is exploitable over the network wherever ksmbd is exposed. Verified code examples are not publicly available; refer to the upstream commit messages in the Patch Information section for the precise call sequence.

Detection Methods for CVE-2026-31477

Indicators of Compromise

• Kernel oops or panic messages referencing smb2_lock, smb_flock_init, vfs_lock_file, or locks_free_lock in dmesg and /var/log/kern.log.
• Steady growth in kernel slab usage for file_lock_cache reported by slabtop on hosts running ksmbd.
• Unexpected restarts or unresponsiveness of the ksmbd kernel threads alongside SMB client disconnects.

Detection Strategies

• Monitor kernel logs for crash signatures that include BUG: kernel NULL pointer dereference with a call trace traversing smb2_lock.
• Correlate spikes in SMB2 LOCK or UNLOCK request volume with kernel memory growth on file servers.
• Audit installed kernel package versions against the fixed commits to identify systems still running affected builds.

Monitoring Recommendations

• Track MemAvailable and Slab values from /proc/meminfo on ksmbd hosts and alert on sustained downward trends.
• Capture and retain ksmbd server logs and SMB connection telemetry to attribute crashes to specific clients.
• Enable kdump so that any smb2_lock-related panic produces a crash dump for forensic analysis.

How to Mitigate CVE-2026-31477

Immediate Actions Required

• Apply the upstream stable kernel update that includes the smb2_lock() fix and reboot affected hosts.
• Restrict network reachability of ksmbd shares to trusted client subnets using host or perimeter firewalls.
• Disable the ksmbd module on systems that do not require an in-kernel SMB server until patches are installed.

Patch Information

The fix hoists locks_free_lock() and kfree() to a single shared free site in the UNLOCK branch, frees smb_lock and flock before goto out in the non-UNLOCK branch, propagates the correct error code, and wraps the rollback VFS unlock in an if (rlock) guard with a NULL check before locks_free_lock(rlock). The corrections are available in the following stable tree commits: Kernel Patch 309b44e, Kernel Patch 3cdacd1, Kernel Patch 91aeaa7, Kernel Patch aab42f0, Kernel Patch c9b95ef, and Kernel Patch cdac6f7.

Workarounds

• Unload the ksmbd module with modprobe -r ksmbd and migrate file shares to a userspace SMB server such as Samba until the kernel is patched.
• Block inbound TCP port 445 at the network edge and limit SMB exposure to authenticated VPN clients.
• Enforce SMB signing and require authentication on ksmbd shares to reduce the population of clients able to reach the vulnerable code path.

# Verify running kernel and unload ksmbd if not required
uname -r
sudo modprobe -r ksmbd
echo 'blacklist ksmbd' | sudo tee /etc/modprobe.d/disable-ksmbd.conf

# Restrict SMB to trusted sources while patching
sudo iptables -A INPUT -p tcp --dport 445 -s 10.0.0.0/8 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 445 -j DROP