CVE-2026-31717 Overview
CVE-2026-31717 is a high-severity vulnerability in the Linux kernel's ksmbd SMB3 server implementation. The flaw allows an authenticated user to hijack orphaned durable file handles belonging to other users. The ksmbd module fails to verify that the security context of a reconnect request matches the security context of the original file open, violating the MS-SMB2 protocol specification. An attacker who predicts or brute-forces a persistent ID can reconnect to another user's durable handle and access the associated file.
Critical Impact
Authenticated SMB users on the network can hijack orphaned durable handles by guessing persistent IDs, gaining unauthorized read and write access to files opened by other users.
Affected Products
- Linux Kernel (mainline, including 7.1-rc1)
- Linux distributions shipping ksmbd with SMB2 durable handle support
- Systems running ksmbd as an in-kernel SMB3 file server
Discovery Timeline
- 2026-05-01 - CVE-2026-31717 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-31717
Vulnerability Analysis
The vulnerability resides in the ksmbd kernel SMB3 server's handling of durable handle reconnection. Durable handles are an SMB2 feature that allows clients to reconnect to a previously opened file after a brief network disruption. Each handle is identified by a persistent ID issued by the server.
The MS-SMB2 specification requires that on reconnect, the server validate the SecurityContext of the requesting session against the SecurityContext stored with the existing open. The ksmbd implementation omitted this check entirely. Any authenticated SMB user could issue an SMB2_CREATE request with the DHnC (Durable Handle Reconnect) context and inherit a handle previously opened by a different user.
The fix introduces a durable_owner structure in ksmbd_file that records the original opener's UID, GID, and account name when a handle becomes orphaned. A new helper, ksmbd_vfs_compare_durable_owner(), validates the requester's identity during reconnect.
Root Cause
The root cause is a missing authorization check [CWE-285] in the durable handle reconnect path. The reconnect logic indexed handles solely by persistent ID without binding them to the originating user's security context. Persistent IDs are not designed as secrets, so reliance on their unpredictability does not provide an authorization boundary.
Attack Vector
The attacker requires valid SMB credentials on the target ksmbd server. After authenticating, the attacker enumerates or brute-forces persistent IDs and issues SMB2_CREATE requests carrying the DHnC create context. When a matching orphaned handle exists, the server attaches the attacker's session to a handle originally opened by another user, granting the original handle's access rights to the attacker.
No user interaction is required, and exploitation occurs entirely over the network on standard SMB ports. See the upstream fixes at the Linux Kernel Commit Log for the implementation details.
Detection Methods for CVE-2026-31717
Indicators of Compromise
- SMB2_CREATE requests containing the DHnC reconnect context originating from a session whose UID does not match the historical opener of the targeted persistent ID.
- Repeated SMB2_CREATE failures with STATUS_OBJECT_NAME_NOT_FOUND or STATUS_ACCESS_DENIED from a single client, suggesting persistent ID brute-forcing.
- Audit log entries showing the same persistent ID being accessed by multiple distinct user accounts within a short time window.
Detection Strategies
- Enable ksmbd audit logging and alert on durable handle reconnects where the requesting account differs from the account that originally opened the file.
- Monitor SMB session establishment patterns for accounts issuing high volumes of SMB2_CREATE requests with DHnC contexts.
- Correlate SMB authentication events with file access events to flag cross-user handle reuse.
Monitoring Recommendations
- Capture SMB traffic at network choke points and inspect SMB2_CREATE Create Contexts for unusual DHnC activity.
- Forward ksmbd and kernel audit logs to a centralized log platform with retention sufficient for forensic review.
- Establish baselines for legitimate durable handle reconnect rates per user and alert on deviations.
How to Mitigate CVE-2026-31717
Immediate Actions Required
- Apply the upstream ksmbd patches that introduce the durable_owner structure and the ksmbd_vfs_compare_durable_owner() validation routine.
- Restrict SMB access to trusted network segments and authenticated users only, using firewall rules on TCP port 445.
- Audit existing SMB user accounts and disable or rotate credentials for any accounts that are not actively required.
Patch Information
The vulnerability is resolved by three upstream commits available at the Linux Kernel Commit Log (00ce8d6), the Linux Kernel Commit Log (49110a8), and the Linux Kernel Commit Log (c908c85). Update to a kernel build that includes these commits and reboot affected systems. Distribution-specific backports should be applied where available.
Workarounds
- Disable durable handle support in ksmbd configuration if the workload does not require client reconnection across network interruptions.
- Replace ksmbd with an alternative SMB server such as Samba smbd until kernel patches are deployed.
- Limit SMB exposure to authenticated users on isolated VLANs and enforce strong credential policies to reduce the pool of potential attackers.
# Verify running kernel version and ksmbd module status
uname -r
lsmod | grep ksmbd
# Stop and unload ksmbd if not required
systemctl stop ksmbd.service
systemctl disable ksmbd.service
modprobe -r ksmbd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
