CVE-2026-31477

HIGH EPSS 37.8%
Published Apr 22, 20262mo ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
High
Find Similar
Published Apr 22, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix memory leaks and NULL deref in smb2_lock() smb2_lock() has three error handling issues after list_del() detaches smb_lock from lock_list at no_check_cl: 1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK path, goto out leaks smb_lock and its flock because the out: handler only iterates lock_list and rollback_list, neither of which contains the detached smb_lock. 2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out leaks smb_lock and flock for the same reason. The error code returned to the dispatcher is also stale. 3) In the rollback path, smb_flock_init() can return NULL on allocation failure. The result is dereferenced unconditionally, causing a kernel NULL pointer dereference. Add a NULL check to prevent the crash and clean up the bookkeeping; the VFS lock itself cannot be rolled back without the allocation and will be released at file or connection teardown. Fix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before the if(!rc) check in the UNLOCK branch so all exit paths share one free site, and by freeing smb_lock and flock before goto out in the non-UNLOCK branch. Propagate the correct error code in both cases. Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding a NULL check for locks_free_lock(rlock) in the shared cleanup. Found via call-graph analysis using sqry.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
37.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 13

VendorProductVersionRange
linuxlinux_kernel*≥5.15.1  –  <6.1.168
linuxlinux_kernel*≥6.2  –  <6.6.131
linuxlinux_kernel*≥6.7  –  <6.12.80
linuxlinux_kernel*≥6.13  –  <6.18.21
linuxlinux_kernel*≥6.19  –  <6.19.11
linuxlinux_kernel5.15any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 6

  • git.kernel.org https://git.kernel.org/stable/c/309b44ed684496ed3f9c5715d10b899338623512
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3cdacd11b41569ce75b3162142240f2355e04900
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/91aeaa7256006d79a37298f5a1df23325db91599
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/aab42f0795620cf0d3955a520f571f697d0f9a2a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c9b95ef6f5039f19e46c3a521a4fe1752d91dfe9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cdac6f7e7e428dc70e3b5898ac6999a72ed13993
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/309b44ed684496ed3f9c5715d10b899338623512
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3cdacd11b41569ce75b3162142240f2355e04900
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/91aeaa7256006d79a37298f5a1df23325db91599
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/aab42f0795620cf0d3955a520f571f697d0f9a2a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c9b95ef6f5039f19e46c3a521a4fe1752d91dfe9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cdac6f7e7e428dc70e3b5898ac6999a72ed13993
    Patch