{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31409", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.087Z", "datePublished": "2026-04-06T07:38:21.223Z", "dateUpdated": "2026-05-11T22:08:09.135Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:08:09.135Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: unset conn->binding on failed binding request\n\nWhen a multichannel SMB2_SESSION_SETUP request with\nSMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true\nbut never clears it on the error path. This leaves the connection in\na binding state where all subsequent ksmbd_session_lookup_all() calls\nfall back to the global sessions table. This fix it by clearing\nconn->binding = false in the error path."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/smb2pdu.c"], "versions": [{"version": "f5a544e3bab78142207e0242d22442db85ba1eff", "lessThan": "d073870dab8f6dadced81d13d273ff0b21cb7f4e", "status": "affected", "versionType": "git"}, {"version": "f5a544e3bab78142207e0242d22442db85ba1eff", "lessThan": "6ebef4a220a1ebe345de899ebb9ae394206fe921", "status": "affected", "versionType": "git"}, {"version": "f5a544e3bab78142207e0242d22442db85ba1eff", "lessThan": "89afe5e2dbea6e9d8e5f11324149d06fa3a4efca", "status": "affected", "versionType": "git"}, {"version": "f5a544e3bab78142207e0242d22442db85ba1eff", "lessThan": "9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772", "status": "affected", "versionType": "git"}, {"version": "f5a544e3bab78142207e0242d22442db85ba1eff", "lessThan": "6260fc85ed1298a71d24a75d01f8b2e56d489a60", "status": "affected", "versionType": "git"}, {"version": "f5a544e3bab78142207e0242d22442db85ba1eff", "lessThan": "282343cf8a4a5a3603b1cb0e17a7083e4a593b03", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/smb2pdu.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d073870dab8f6dadced81d13d273ff0b21cb7f4e"}, {"url": "https://git.kernel.org/stable/c/6ebef4a220a1ebe345de899ebb9ae394206fe921"}, {"url": "https://git.kernel.org/stable/c/89afe5e2dbea6e9d8e5f11324149d06fa3a4efca"}, {"url": "https://git.kernel.org/stable/c/9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772"}, {"url": "https://git.kernel.org/stable/c/6260fc85ed1298a71d24a75d01f8b2e56d489a60"}, {"url": "https://git.kernel.org/stable/c/282343cf8a4a5a3603b1cb0e17a7083e4a593b03"}], "title": "ksmbd: unset conn->binding on failed binding request", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: unset conn->binding on failed binding request\n\nWhen a multichannel SMB2_SESSION_SETUP request with\nSMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true\nbut never clears it on the error path. This leaves the connection in\na binding state where all subsequent ksmbd_session_lookup_all() calls\nfall back to the global sessions table. This fix it by clearing\nconn->binding = false in the error path."}], "id": "CVE-2026-31409", "lastModified": "2026-04-27T14:16:37.107", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-06T08:16:38.943", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/282343cf8a4a5a3603b1cb0e17a7083e4a593b03"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6260fc85ed1298a71d24a75d01f8b2e56d489a60"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6ebef4a220a1ebe345de899ebb9ae394206fe921"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/89afe5e2dbea6e9d8e5f11324149d06fa3a4efca"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d073870dab8f6dadced81d13d273ff0b21cb7f4e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: ksmbd: unset conn->binding on failed binding request", "id": "2455337", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455337"}, "csaw": false, "cwe": "CWE-390", "details": ["A flaw was found in ksmbd, a component of the Linux kernel. This vulnerability occurs when a multichannel Server Message Block (SMB2) session setup request, specifically one with a binding flag, fails. Due to an error in handling this failure, ksmbd incorrectly retains a binding state for the connection. This can lead to all subsequent session lookups falling back to a global sessions table, potentially causing unexpected session management and service disruption."], "name": "CVE-2026-31409", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31409\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31409\nhttps://lore.kernel.org/linux-cve-announce/2026040629-CVE-2026-31409-d22c@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d073870dab8f6dadced81d13d273ff0b21cb7f4e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6ebef4a220a1ebe345de899ebb9ae394206fe921)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,89afe5e2dbea6e9d8e5f11324149d06fa3a4efca)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6260fc85ed1298a71d24a75d01f8b2e56d489a60)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,282343cf8a4a5a3603b1cb0e17a7083e4a593b03)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T21:43:38.424647+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the ksmbd binding\u2011flag reset patch", "If a kernel upgrade cannot be applied immediately, stop or disable the ksmbd service to remove the vulnerable functionality", "Configure firewall rules to block inbound SMB traffic (TCP\u00a0445) from untrusted networks until the patch is applied"], "summary": {"action": "Apply patch", "impact": "Improper handling of the binding flag in Linux ksmbd leading to failed session lookups and potential denial of service"}, "threat_synthesis": {"affected_systems": "All Linux kernel installations that include the ksmbd SMB server are affected; no specific kernel releases are enumerated, indicating that any unfixed kernel could be vulnerable. This includes standard distributions whose kernels expose SMB port 445.", "description_and_impact": "In the Linux kernel\u2019s SMB server component, an error path for SMB2_SESSION_SETUP requests that include the binding flag fails to clear the per\u2011connection binding indicator. The leftover flag causes subsequent session\u2011lookup functions to fall back to a global table rather than the per\u2011connection context, which can result in incorrect session matching and potential resource exhaustion. This flaw reflects a failure to handle an error condition (CWE\u2011390) and could be leveraged by an attacker to disrupt SMB services or consume kernel resources. The impact is confined to systems running a kernel that has not yet incorporated the patch that resets the binding flag.", "risk_and_exploitability": "The CVSS score of 8.8 classifies the issue as high severity, yet the EPSS score of less than 1\u00a0% and the absence from the CISA KEV catalog suggest that exploitation is currently unlikely. The likely attack vector involves sending a malformed SMB2 request to a publicly reachable ksmbd instance; success would force the server into a repeated misclassification of session lookups, potentially leading to denial of service. No publicly demonstrated exploit is known, but the vulnerability remains relevant if the service is exposed."}}}}, "created": "2026-04-06T20:14:53.318914+00:00", "updated": "2026-04-28T21:45:26.152027+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}