CVE-2026-31608 Overview
CVE-2026-31608 is a double-free vulnerability [CWE-415] in the Linux kernel's ksmbd SMB server implementation. The flaw resides in the SMB Direct (RDMA) transport code, where smb_direct_free_sendmsg() is invoked twice on the same send message buffer. The first free occurs inside smb_direct_flush_send_list(), and a redundant second free occurs after post_sendmsg() migrates the message to the batch list. An unauthenticated remote attacker reaching the SMB Direct interface can trigger memory corruption in kernel space, leading to denial of service or potential code execution.
Critical Impact
A network-reachable attacker can corrupt kernel heap memory through a double-free in the in-kernel SMB server, with no authentication or user interaction required.
Affected Products
- Linux Kernel — ksmbd SMB server module (SMB Direct/RDMA transport)
- Distributions shipping vulnerable upstream kernels prior to the fix commits
- Systems exposing ksmbd over RDMA-capable network interfaces
Discovery Timeline
- 2026-04-24 - CVE-2026-31608 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-31608
Vulnerability Analysis
The vulnerability exists in the ksmbd kernel module, which implements an in-kernel SMB3 file server. Within the SMB Direct transport layer, send messages are tracked through linked lists and freed via smb_direct_free_sendmsg(). The function smb_direct_flush_send_list() already releases each send message it processes. After a refactor moved sendmsg handling to a batch list inside post_sendmsg(), the caller continued to invoke smb_direct_free_sendmsg() on the same buffer that had already been freed by the flush path. This produces a classic double-free condition against kernel-allocated memory.
Double-free conditions in the kernel slab allocator can corrupt freelist pointers, enable arbitrary kernel write primitives through heap layout manipulation, and ultimately permit privilege escalation or kernel code execution. Because the affected code path is reachable over the network without authentication during SMB Direct session setup and message exchange, the attack surface is exposed to any host that can negotiate an RDMA connection with the target.
Root Cause
The root cause is a use-after-free style logic error introduced when send message lifecycle management was refactored to use a batch list. smb_direct_flush_send_list() retains ownership of frees for messages it walks, but the calling site in post_sendmsg() was not updated to drop its own call to smb_direct_free_sendmsg(). The result is two independent free operations on the same struct smb_direct_sendmsg allocation.
Attack Vector
Exploitation requires network reachability to a Linux host running ksmbd with SMB Direct enabled and an RDMA-capable transport such as InfiniBand or RoCE. An attacker initiates an SMB Direct connection and drives the server through the message flow that triggers the dual cleanup paths. No credentials, no user interaction, and no local access are required. Successful exploitation corrupts kernel memory and can crash the host or be developed into a remote kernel code execution primitive.
No public proof-of-concept exploit has been published. Technical detail for the fix is available in the upstream commits, including Kernel Git Commit 2ba03f46 and Kernel Git Commit 84ff995a.
Detection Methods for CVE-2026-31608
Indicators of Compromise
- Kernel oops or panic messages referencing smb_direct_free_sendmsg, smb_direct_flush_send_list, or post_sendmsg in dmesg and /var/log/kern.log.
- SLUB/SLAB allocator warnings such as double free or corruption, kernel BUG at mm/slub.c, or KASAN double-free reports on hosts running ksmbd.
- Unexpected restarts of the ksmbd worker threads or the host itself coinciding with inbound SMB Direct connections.
Detection Strategies
- Monitor kernel ring buffer output for crash signatures involving the ksmbd SMB Direct send path.
- Inspect network telemetry for inbound RDMA/SMB Direct sessions on TCP/445 and associated RDMA ports from untrusted sources.
- Verify kernel package versions against distribution advisories referencing the upstream fix commits.
Monitoring Recommendations
- Forward kernel logs and KASAN output to a centralized logging or SIEM platform for correlation with network events.
- Alert on repeated ksmbd module faults or RDMA transport resets that may indicate exploitation attempts.
- Track exposure of port 445 and RDMA interfaces to untrusted networks and flag any new external exposure.
How to Mitigate CVE-2026-31608
Immediate Actions Required
- Apply the upstream kernel patches referenced in the vendor advisories and rebuild or update affected kernel packages.
- Disable the ksmbd module on hosts that do not require an in-kernel SMB server: modprobe -r ksmbd and blacklist it where appropriate.
- Restrict SMB and SMB Direct access at the network layer to trusted management segments only.
- Inventory all Linux hosts exposing ksmbd over RDMA-capable transports and prioritize them for patching.
Patch Information
The fix removes the duplicate call to smb_direct_free_sendmsg() after post_sendmsg() so that ownership of the freed message remains exclusively with smb_direct_flush_send_list(). Patches have been merged into the stable trees via the following commits: Kernel Git Commit 2ba03f46, Kernel Git Commit 6968c91f, Kernel Git Commit 830de6ee, and Kernel Git Commit 84ff995a. Consult your distribution's security tracker for backported package versions.
Workarounds
- Unload the ksmbd kernel module on systems where it is not required for SMB file sharing.
- Block inbound traffic to TCP/445 and RDMA listener ports from untrusted networks using host or perimeter firewalls.
- Prefer userspace SMB servers such as Samba on hosts where the in-kernel server cannot be patched immediately.
# Disable and blacklist ksmbd on systems that do not require it
sudo systemctl stop ksmbd 2>/dev/null || true
sudo modprobe -r ksmbd
echo "blacklist ksmbd" | sudo tee /etc/modprobe.d/blacklist-ksmbd.conf
# Restrict SMB exposure at the host firewall
sudo nft add rule inet filter input tcp dport 445 ip saddr != 10.0.0.0/8 drop
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
