The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-31610

CVE-2026-31610: Linux Kernel Information Disclosure Flaw

CVE-2026-31610 is an information disclosure vulnerability in the Linux Kernel ksmbd component that causes memory leaks through malformed SPNEGO tokens. This article covers technical details, affected versions, and mitigation.

Published: April 30, 2026

CVE-2026-31610 Overview

A memory leak vulnerability has been discovered in the Linux kernel's ksmbd (Kernel SMB Direct) component. The vulnerability exists in the SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) token handling during SMB session setup. When the ASN.1 BER decoder processes a negTokenInit structure, the ksmbd_neg_token_alloc() function allocates memory for conn->mechToken via kmemdup_nul(). If a subsequent element in the SPNEGO blob is malformed (such as an overrunning mechListMIC), the decoder returns an error after the allocation has already occurred, but the cleanup logic fails to free the allocated memory.

Critical Impact

Unauthenticated remote attackers can cause slow memory exhaustion on ksmbd servers by sending malformed SPNEGO authentication requests, potentially leading to denial of service conditions without requiring valid credentials.

Affected Products

  • Linux Kernel (ksmbd component)
  • Systems running ksmbd as an in-kernel SMB server
  • Multiple kernel versions with ksmbd support enabled

Discovery Timeline

  • April 24, 2026 - CVE-2026-31610 published to NVD
  • April 29, 2026 - Last updated in NVD database

Technical Details for CVE-2026-31610

Vulnerability Analysis

This vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime), commonly known as a memory leak. The flaw resides in the error handling path of the SPNEGO token decoding process within ksmbd.

The Linux kernel's ASN.1 BER decoder operates incrementally, invoking action callbacks as it parses each element of the input structure. When processing a negTokenInit message, upon encountering the mechToken [2] OCTET STRING element, the decoder triggers ksmbd_neg_token_alloc(), which immediately allocates memory using kmemdup_nul() and stores the pointer in conn->mechToken.

The problem arises when a subsequent element in the SPNEGO blob—such as the mechListMIC [3] field—contains malformed data that overruns the enclosing SEQUENCE boundary. This causes the decoder to return a non-zero error code, but at this point, the mechToken allocation has already been committed. The decode_negotiation_token() function then sets conn->use_spnego = false since both negTokenInit and negTokenTarg grammar parsing failed.

The cleanup code in smb2_sess_setup() includes an overly restrictive conditional check that prevents the memory from being freed when use_spnego is false. This codepath is reachable before authentication completes, meaning untrusted network clients can trigger this leak repeatedly.

Root Cause

The root cause is a flawed error handling condition in the session cleanup code. The original cleanup logic used the following pattern:

c
if (conn->use_spnego && conn->mechToken) {
    kfree(conn->mechToken);
    conn->mechToken = NULL;
}

This gate on use_spnego is incorrect because the mechToken can be allocated even when SPNEGO processing ultimately fails (setting use_spnego = false). The fix removes the use_spnego check entirely, ensuring the mechToken is always freed when present. Additionally, the patch adds a safety net in ksmbd_conn_free() to catch any mechToken allocations that might escape other cleanup paths.

Attack Vector

The attack requires local access to a system running the ksmbd service. An attacker can craft malformed SMB session setup requests containing SPNEGO tokens with intentionally corrupted ASN.1 structures. By repeatedly sending these malformed requests, an attacker can gradually exhaust available kernel memory on the target server.

The attack scenario involves:

  1. Connecting to a ksmbd server on TCP port 445
  2. Initiating an SMB session setup with a SPNEGO negTokenInit blob
  3. Crafting the mechListMIC field to overrun the SEQUENCE boundary
  4. Repeating the process to cause progressive memory exhaustion

Since this occurs pre-authentication, no valid credentials are required to exploit this vulnerability.

Detection Methods for CVE-2026-31610

Indicators of Compromise

  • Gradual increase in kernel memory usage on systems running ksmbd
  • Elevated number of failed SMB authentication attempts in system logs
  • ksmbd service instability or crashes due to memory pressure
  • Unusual patterns of incomplete SMB session setup requests from single sources

Detection Strategies

  • Monitor kernel memory allocation patterns for the ksmbd module using kernel memory accounting tools
  • Implement rate limiting on SMB session setup requests to detect abuse patterns
  • Analyze network traffic for malformed SPNEGO tokens with unusual ASN.1 structures
  • Deploy intrusion detection rules to identify anomalous SMB authentication behavior

Monitoring Recommendations

  • Enable ksmbd debug logging to capture detailed session setup failures
  • Set up memory usage alerts for systems running in-kernel SMB services
  • Monitor for repeated authentication failures from the same source IP addresses
  • Implement network-level monitoring for SMB traffic anomalies on port 445

How to Mitigate CVE-2026-31610

Immediate Actions Required

  • Apply the official kernel patches from the Linux kernel stable tree
  • Consider temporarily disabling ksmbd if not required until patching is complete
  • Implement network access controls to limit SMB exposure to trusted networks
  • Monitor affected systems for signs of memory exhaustion

Patch Information

The Linux kernel development team has released patches across multiple stable kernel branches. The fix removes the unnecessary use_spnego conditional check and adds failsafe cleanup in ksmbd_conn_free().

Official patches are available from the following kernel git commits:

  • Kernel Patch 269c800
  • Kernel Patch 6c8c44e
  • Kernel Patch 745a535
  • Kernel Patch ad0057fb
  • Kernel Patch dd53414
  • Kernel Patch dd577cb5

Workarounds

  • Disable the ksmbd kernel module if in-kernel SMB server functionality is not required
  • Use Samba user-space SMB server as an alternative until patches are applied
  • Restrict network access to SMB services using firewall rules to limit exposure
bash
# Disable ksmbd module temporarily
sudo modprobe -r ksmbd

# Block external SMB access via firewall
sudo iptables -A INPUT -p tcp --dport 445 -j DROP
sudo iptables -A INPUT -p tcp --dport 139 -j DROP

# If using ksmbd, apply kernel updates
sudo apt update && sudo apt upgrade linux-image-generic
# Or for RHEL-based systems
sudo yum update kernel

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechLinux Kernel
  • SeverityMEDIUM
  • CVSS Score5.5
  • EPSS Probability0.02%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-401
  • Vendor Resources
  • Kernel Patch 269c800
  • Kernel Patch 6c8c44e
  • Kernel Patch 745a535
  • Kernel Patch ad0057fb
  • Kernel Patch dd53414
  • Kernel Patch dd577cb5
  • Related CVEs
  • CVE-2026-31708: Linux Kernel Information Disclosure Flaw
  • CVE-2026-43088: Linux Kernel Information Disclosure Flaw
  • CVE-2026-43085: Linux Kernel Information Disclosure Flaw
  • CVE-2026-43089: Linux Kernel Information Disclosure Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English