{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31477", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.098Z", "datePublished": "2026-04-22T13:54:05.470Z", "dateUpdated": "2026-05-11T22:09:29.536Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:09:29.536Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix memory leaks and NULL deref in smb2_lock()\n\nsmb2_lock() has three error handling issues after list_del() detaches\nsmb_lock from lock_list at no_check_cl:\n\n1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK\n path, goto out leaks smb_lock and its flock because the out:\n handler only iterates lock_list and rollback_list, neither of\n which contains the detached smb_lock.\n\n2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out\n leaks smb_lock and flock for the same reason. The error code\n returned to the dispatcher is also stale.\n\n3) In the rollback path, smb_flock_init() can return NULL on\n allocation failure. The result is dereferenced unconditionally,\n causing a kernel NULL pointer dereference. Add a NULL check to\n prevent the crash and clean up the bookkeeping; the VFS lock\n itself cannot be rolled back without the allocation and will be\n released at file or connection teardown.\n\nFix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before\nthe if(!rc) check in the UNLOCK branch so all exit paths share one\nfree site, and by freeing smb_lock and flock before goto out in the\nnon-UNLOCK branch. Propagate the correct error code in both cases.\nFix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding\na NULL check for locks_free_lock(rlock) in the shared cleanup.\n\nFound via call-graph analysis using sqry."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/smb2pdu.c"], "versions": [{"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9", "lessThan": "cdac6f7e7e428dc70e3b5898ac6999a72ed13993", "status": "affected", "versionType": "git"}, {"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9", "lessThan": "c9b95ef6f5039f19e46c3a521a4fe1752d91dfe9", "status": "affected", "versionType": "git"}, {"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9", "lessThan": "91aeaa7256006d79a37298f5a1df23325db91599", "status": "affected", "versionType": "git"}, {"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9", "lessThan": "3cdacd11b41569ce75b3162142240f2355e04900", "status": "affected", "versionType": "git"}, {"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9", "lessThan": "aab42f0795620cf0d3955a520f571f697d0f9a2a", "status": "affected", "versionType": "git"}, {"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9", "lessThan": "309b44ed684496ed3f9c5715d10b899338623512", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/smb2pdu.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/cdac6f7e7e428dc70e3b5898ac6999a72ed13993"}, {"url": "https://git.kernel.org/stable/c/c9b95ef6f5039f19e46c3a521a4fe1752d91dfe9"}, {"url": "https://git.kernel.org/stable/c/91aeaa7256006d79a37298f5a1df23325db91599"}, {"url": "https://git.kernel.org/stable/c/3cdacd11b41569ce75b3162142240f2355e04900"}, {"url": "https://git.kernel.org/stable/c/aab42f0795620cf0d3955a520f571f697d0f9a2a"}, {"url": "https://git.kernel.org/stable/c/309b44ed684496ed3f9c5715d10b899338623512"}], "title": "ksmbd: fix memory leaks and NULL deref in smb2_lock()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9CCD781C-B6A2-442F-817F-8C51A38AFB71", "versionEndExcluding": "6.1.168", "versionStartIncluding": "5.15.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE6ED4D4-0046-4573-BFA9-D64143B6A89F", "versionEndExcluding": "6.6.131", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6", "versionEndExcluding": "6.12.80", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:-:*:*:*:*:*:*", "matchCriteriaId": "40D9C0D1-0F32-4A2B-9840-1072F5497540", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix memory leaks and NULL deref in smb2_lock()\n\nsmb2_lock() has three error handling issues after list_del() detaches\nsmb_lock from lock_list at no_check_cl:\n\n1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK\n path, goto out leaks smb_lock and its flock because the out:\n handler only iterates lock_list and rollback_list, neither of\n which contains the detached smb_lock.\n\n2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out\n leaks smb_lock and flock for the same reason. The error code\n returned to the dispatcher is also stale.\n\n3) In the rollback path, smb_flock_init() can return NULL on\n allocation failure. The result is dereferenced unconditionally,\n causing a kernel NULL pointer dereference. Add a NULL check to\n prevent the crash and clean up the bookkeeping; the VFS lock\n itself cannot be rolled back without the allocation and will be\n released at file or connection teardown.\n\nFix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before\nthe if(!rc) check in the UNLOCK branch so all exit paths share one\nfree site, and by freeing smb_lock and flock before goto out in the\nnon-UNLOCK branch. Propagate the correct error code in both cases.\nFix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding\na NULL check for locks_free_lock(rlock) in the shared cleanup.\n\nFound via call-graph analysis using sqry."}], "id": "CVE-2026-31477", "lastModified": "2026-04-27T23:24:22.547", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-22T14:16:44.440", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/309b44ed684496ed3f9c5715d10b899338623512"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3cdacd11b41569ce75b3162142240f2355e04900"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/91aeaa7256006d79a37298f5a1df23325db91599"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/aab42f0795620cf0d3955a520f571f697d0f9a2a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c9b95ef6f5039f19e46c3a521a4fe1752d91dfe9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cdac6f7e7e428dc70e3b5898ac6999a72ed13993"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ksmbd: fix memory leaks and NULL deref in smb2_lock()", "id": "2460681", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460681"}, "csaw": false, "cwe": "CWE-476", "details": ["A flaw was found in ksmbd in the Linux kernel. Error handling issues within the `smb2_lock()` function can lead to memory leaks. Additionally, an allocation failure in `smb_flock_init()` can result in a NULL pointer dereference, causing the kernel to crash. This vulnerability could allow a local attacker to cause a Denial of Service (DoS) by triggering these error conditions."], "name": "CVE-2026-31477", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31477\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31477\nhttps://lore.kernel.org/linux-cve-announce/2026042257-CVE-2026-31477-2808@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,cdac6f7e7e428dc70e3b5898ac6999a72ed13993)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,c9b95ef6f5039f19e46c3a521a4fe1752d91dfe9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,91aeaa7256006d79a37298f5a1df23325db91599)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,3cdacd11b41569ce75b3162142240f2355e04900)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,aab42f0795620cf0d3955a520f571f697d0f9a2a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,309b44ed684496ed3f9c5715d10b899338623512)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.15"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.15)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.131,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T08:15:27.934805+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the ksmbd patch referenced in the commit list.", "If an immediate kernel upgrade is not feasible, disable or limit incoming SMB traffic to reduce exposure.", "After applying the patch, monitor kernel logs for SMB-related panics or lock failures to confirm remediation."], "summary": {"action": "Patch", "impact": "Kernel Null Pointer Dereference (Denial of Service)"}, "threat_synthesis": {"affected_systems": "The affected systems are any Linux kernels that still contain the unpatched ksmbd code. The CPE string lists only the generic Linux kernel, and no particular version range is specified, implying that any kernel revision older than the commit that introduces the patch is likely vulnerable. All distributions shipping that kernel will be exposed until they apply the updated source or a backport.", "description_and_impact": "This flaw exists in the ksmbd SMB2 implementation of the Linux kernel. It arises from incomplete error handling inside smb2_lock(), where unexpected errors or allocation failures can leak memory or lead to an unconditional NULL dereference of a VFS lock. The resulting kernel crash destabilizes the entire system, providing a classic denial-of-service vector. The weakness is a classic null pointer dereference, mapped to CWE-476.", "risk_and_exploitability": "The CVSS score of 7.5 reflects a high\u2011impact vulnerability, yet the EPSS score of less than 1% indicates a very low probability of exploitation so far and the issue is not listed in the CISA KEV catalog. The vulnerability requires an attacker to drive the SMB lock path\u2014most plausibly by sending crafted SMB lock/unlock requests\u2014to trigger the fault. This inferred attack vector suggests that remote SMB clients could exploit the flaw, but no public exploit has been reported. Administrators should treat it as a significant risk to service availability and prioritize patching or temporary mitigation."}}}}, "created": "2026-04-22T17:00:11.727386+00:00", "updated": "2026-04-28T08:30:13.184332+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-476"]}