{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31536", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.113Z", "datePublished": "2026-04-24T14:30:24.224Z", "dateUpdated": "2026-05-11T22:10:40.525Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:10:40.525Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: let send_done handle a completion without IB_SEND_SIGNALED\n\nWith smbdirect_send_batch processing we likely have requests without\nIB_SEND_SIGNALED, which will be destroyed in the final request\nthat has IB_SEND_SIGNALED set.\n\nIf the connection is broken all requests are signaled\neven without explicit IB_SEND_SIGNALED."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/transport_rdma.c"], "versions": [{"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "24082642654f3e5149913946e89c00a297a8868f", "status": "affected", "versionType": "git"}, {"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "e38b415c024bc3b6321bf8650dbf3f4aab8e74b3", "status": "affected", "versionType": "git"}, {"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "9da82dc73cb03e85d716a2609364572367a5ff47", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/transport_rdma.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.11", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.1", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.18.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.19.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/24082642654f3e5149913946e89c00a297a8868f"}, {"url": "https://git.kernel.org/stable/c/e38b415c024bc3b6321bf8650dbf3f4aab8e74b3"}, {"url": "https://git.kernel.org/stable/c/9da82dc73cb03e85d716a2609364572367a5ff47"}], "title": "smb: server: let send_done handle a completion without IB_SEND_SIGNALED", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "15E921F5-9862-4FCB-AB2A-5ADDE34536EF", "versionEndExcluding": "6.18.11", "versionStartIncluding": "5.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE543C0D-A06B-414F-A403-CB1E088F261E", "versionEndExcluding": "6.19.1", "versionStartIncluding": "6.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: let send_done handle a completion without IB_SEND_SIGNALED\n\nWith smbdirect_send_batch processing we likely have requests without\nIB_SEND_SIGNALED, which will be destroyed in the final request\nthat has IB_SEND_SIGNALED set.\n\nIf the connection is broken all requests are signaled\neven without explicit IB_SEND_SIGNALED."}], "id": "CVE-2026-31536", "lastModified": "2026-04-28T19:10:25.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:27.530", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/24082642654f3e5149913946e89c00a297a8868f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9da82dc73cb03e85d716a2609364572367a5ff47"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e38b415c024bc3b6321bf8650dbf3f4aab8e74b3"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: smb: server: let send_done handle a completion without IB_SEND_SIGNALED", "id": "2461539", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461539"}, "csaw": false, "cwe": "CWE-166", "details": ["A flaw was found in the Linux kernel's Server Message Block (SMB) direct server implementation. This issue occurs during `smbdirect_send_batch` processing where requests without the `IB_SEND_SIGNALED` flag may be incorrectly handled when a connection is broken. This could lead to unexpected behavior related to request completion and resource management within the SMB server."], "name": "CVE-2026-31536", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31536\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31536\nhttps://lore.kernel.org/linux-cve-announce/2026042433-CVE-2026-31536-d7cc@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0626e6641f6b467447c81dd7678a69c66f7746cf,24082642654f3e5149913946e89c00a297a8868f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0626e6641f6b467447c81dd7678a69c66f7746cf,e38b415c024bc3b6321bf8650dbf3f4aab8e74b3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0626e6641f6b467447c81dd7678a69c66f7746cf,9da82dc73cb03e85d716a2609364572367a5ff47)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.15"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.15)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.11,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.1,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T23:48:26.605591+00:00", "value": {"mitigation_remediation": ["Apply the kernel patch from the commit that fixes the send_done handling flaw and reboot the system.", "Restart SMB services (e.g., smbd, nmbd) after the kernel update to ensure the fix is in effect.", "If SMB is not required, disable the SMB server or block SMB traffic on the network as a temporary mitigation."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to all Linux kernel releases that include the SMB server component and have not incorporated the recent commit that fixes the send_done handling logic. No specific version ranges are enumerated in the advisory, so any kernel older than the patched state is potentially vulnerable.", "description_and_impact": "The Linux kernel SMB server has a flaw where the function that finalizes data transmission, send_done, can be called for a request that lacks the IB_SEND_SIGNALED flag. In such a case the code mistakenly assumes the request will be cleaned up during the final flagged request. If an unflagged request is processed before a flagged one, the missing cleanup can corrupt kernel memory or crash the system, resulting in a denial of service. This bug is an instance of CWE-166, an improper use of a pointer or inadequate handling of a control flag.", "risk_and_exploitability": "With a CVSS score of 9.8 this flaw is classified as critical, yet the EPSS score of less than 1% suggests current exploitation activity is very low. The issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers could exploit the vulnerability by sending specially crafted SMB requests that trigger a send_done call without the IB_SEND_SIGNALED flag. The likely attack vector is through the SMB protocol, possibly by an attacker who can reach the SMB service on the target machine."}}}}, "created": "2026-04-27T19:15:11.629703+00:00", "updated": "2026-04-29T00:00:13.804420+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}