CVE-2026-31610

MEDIUM EPSS 3.4%
Published Apr 24, 20262mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Apr 24, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc The kernel ASN.1 BER decoder calls action callbacks incrementally as it walks the input. When ksmbd_decode_negTokenInit() reaches the mechToken [2] OCTET STRING element, ksmbd_neg_token_alloc() allocates conn->mechToken immediately via kmemdup_nul(). If a later element in the same blob is malformed, then the decoder will return nonzero after the allocation is already live. This could happen if mechListMIC [3] overrunse the enclosing SEQUENCE. decode_negotiation_token() then sets conn->use_spnego = false because both the negTokenInit and negTokenTarg grammars failed. The cleanup at the bottom of smb2_sess_setup() is gated on use_spnego: if (conn->use_spnego && conn->mechToken) { kfree(conn->mechToken); conn->mechToken = NULL; } so the kfree is skipped, causing the mechToken to never be freed. This codepath is reachable pre-authentication, so untrusted clients can cause slow memory leaks on a server without even being properly authenticated. Fix this up by not checking check for use_spnego, as it's not required, so the memory will always be properly freed. At the same time, always free the memory in ksmbd_conn_free() incase some other failure path forgot to free it.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
3.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-401

Affected Products 5

VendorProductVersionRange
linuxlinux_kernel*≥5.15  –  <6.6.136
linuxlinux_kernel*≥6.7  –  <6.12.83
linuxlinux_kernel*≥6.13  –  <6.18.24
linuxlinux_kernel*≥6.19  –  <6.19.14
linuxlinux_kernel*≥7.0  –  <7.0.1

References 6

  • git.kernel.org https://git.kernel.org/stable/c/269c800a7a7e363459291885b35f7bc72e231ed6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6c8c44e6553b9f072f62d9875e567766eb293162
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/745a535461bbb90a56d9357573c9f97a5c12abe1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ad0057fb91218914d6c98268718ceb9d59b388e1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dd53414e301beb915fe672dc4c4a51bafb917604
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dd577cb55588ec3fbc66af3621280306601c4192
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/269c800a7a7e363459291885b35f7bc72e231ed6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6c8c44e6553b9f072f62d9875e567766eb293162
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/745a535461bbb90a56d9357573c9f97a5c12abe1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ad0057fb91218914d6c98268718ceb9d59b388e1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dd53414e301beb915fe672dc4c4a51bafb917604
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dd577cb55588ec3fbc66af3621280306601c4192
    Patch