{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31537", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.113Z", "datePublished": "2026-04-24T14:30:24.907Z", "dateUpdated": "2026-05-11T22:10:41.629Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:10:41.629Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: make use of smbdirect_socket.send_io.bcredits\n\nIt turns out that our code will corrupt the stream of\nreassabled data transfer messages when we trigger an\nimmendiate (empty) send.\n\nIn order to fix this we'll have a single 'batch' credit per\nconnection. And code getting that credit is free to use\nas much messages until remaining_length reaches 0, then\nthe batch credit it given back and the next logical send can\nhappen."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/transport_rdma.c"], "versions": [{"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "5ef18a2e66f2f33fdac64437bddfb9fe6389fdc7", "status": "affected", "versionType": "git"}, {"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "79242e7b6bc63efec28b7c235bc320806afce6c0", "status": "affected", "versionType": "git"}, {"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "34abd408c8ba24d7c97bd02ba874d8c714f49db1", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/transport_rdma.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.11", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.1", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.18.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.19.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5ef18a2e66f2f33fdac64437bddfb9fe6389fdc7"}, {"url": "https://git.kernel.org/stable/c/79242e7b6bc63efec28b7c235bc320806afce6c0"}, {"url": "https://git.kernel.org/stable/c/34abd408c8ba24d7c97bd02ba874d8c714f49db1"}], "title": "smb: server: make use of smbdirect_socket.send_io.bcredits", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "15E921F5-9862-4FCB-AB2A-5ADDE34536EF", "versionEndExcluding": "6.18.11", "versionStartIncluding": "5.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE543C0D-A06B-414F-A403-CB1E088F261E", "versionEndExcluding": "6.19.1", "versionStartIncluding": "6.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: make use of smbdirect_socket.send_io.bcredits\n\nIt turns out that our code will corrupt the stream of\nreassabled data transfer messages when we trigger an\nimmendiate (empty) send.\n\nIn order to fix this we'll have a single 'batch' credit per\nconnection. And code getting that credit is free to use\nas much messages until remaining_length reaches 0, then\nthe batch credit it given back and the next logical send can\nhappen."}], "id": "CVE-2026-31537", "lastModified": "2026-04-28T19:09:04.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:27.633", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/34abd408c8ba24d7c97bd02ba874d8c714f49db1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5ef18a2e66f2f33fdac64437bddfb9fe6389fdc7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/79242e7b6bc63efec28b7c235bc320806afce6c0"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: smb: server: make use of smbdirect_socket.send_io.bcredits", "id": "2461457", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461457"}, "csaw": false, "cwe": "CWE-821", "details": ["A flaw was found in the Linux kernel's Server Message Block (SMB) server. An attacker could exploit this vulnerability by triggering an immediate (empty) send operation, which would corrupt the stream of reassembled data transfer messages. This corruption could lead to data integrity issues or potentially a denial of service."], "name": "CVE-2026-31537", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31537\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31537\nhttps://lore.kernel.org/linux-cve-announce/2026042434-CVE-2026-31537-6202@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0626e6641f6b467447c81dd7678a69c66f7746cf,5ef18a2e66f2f33fdac64437bddfb9fe6389fdc7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0626e6641f6b467447c81dd7678a69c66f7746cf,79242e7b6bc63efec28b7c235bc320806afce6c0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0626e6641f6b467447c81dd7678a69c66f7746cf,34abd408c8ba24d7c97bd02ba874d8c714f49db1)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.15"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.15)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.11,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.1,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T23:47:53.415517+00:00", "value": {"mitigation_remediation": ["Upgrade the kernel to a version that includes the smbdirect_socket.send_io.bcredits fix (see the commit references in the advisory).", "If an immediate kernel upgrade cannot be performed, temporarily disable SMB services or block SMB traffic at the perimeter firewall to prevent exploitation.", "After applying the fix or workaround, monitor SMB connections for anomalous activity and ensure related SMB code paths are also free of remaining buffer\u2011management bugs."], "summary": {"action": "Apply patch", "impact": "Data corruption in SMB server stream"}, "threat_synthesis": {"affected_systems": "All Linux kernel builds that have not yet applied the fix for CVE-2026-31537 are susceptible. The exact kernel versions impacted are not listed in the CVE data; the remedy is referenced in the commit logs linked in the advisory. System administrators should review their kernel version and upgrade to a patched release where the smbdirect_socket.send_io.bcredits logic has been corrected.", "description_and_impact": "An improper handling of the SMBDIRECT socket credit counter in the Linux kernel can corrupt the stream of data transfer messages when an empty immediate send is performed. The bug manifests as a loss of data integrity in SMB traffic, potentially causing downtime or erratic behavior for clients communicating with the affected SMB server. The underlying weakness is a failure to correctly validate or manage buffer credits, which aligns with the CWE-821 classification of inadequate bounds checking.", "risk_and_exploitability": "The EPSS score for this vulnerability is reported as < 1%, indicating a very low probability of exploitation in real\u2011world scenarios, and it is not listed in the CISA KEV catalog. The CVSS score is 5.5, indicating moderate severity. The defect resides at the SMB protocol handling layer of the kernel, so an attacker would need network access to an exposed SMB service to trigger the corrupting send. Although the impact could be a denial of service or data corruption, the combination of the low EPSS, lack of a known exploit, and the requirement for a crafted SMB packet suggests a moderate but not immediate threat. Patching remains the recommended countermeasure."}}}}, "created": "2026-04-27T19:15:11.629163+00:00", "updated": "2026-04-29T00:00:13.803434+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-821"]}