Overview: What makes CVE-2026-31718 dangerous
CVE-2026-31718 affects ksmbd, the SMB server implementation built into the Linux kernel. According to the NVD entry, the issue is a use-after-free in the __ksmbd_close_fd() function, triggered by asymmetric cleanup when closing file handles. The ENISA record EUVD-2026-26527 references the same defect and assigns it the weakness class CWE-416 (Use After Free).
The trigger condition involves so-called durable file handles: when an SMB session breaks, the file handle persists for a short window so the client can transparently reconnect. Inside that window, the kernel data path is left in an inconsistent state — a primitive that an attacker with network access to the SMB service can exploit.
- CVE-ID: CVE-2026-31718 (ENISA: EUVD-2026-26527)
- Component: Linux kernel, subsystem
fs/smb/server(ksmbd) - Weakness type: CWE-416 Use After Free
- CVSS 3.1 Base Score: 9.8 (Critical), Vector
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - Published: May 1, 2026 · Last modified: May 17, 2026 (Source: kernel.org)
From a defender's perspective, the CVSS vector profile is what matters most: network-based exploitation, no authentication, no user interaction. That combination typically pushes the issue straight into the „patch immediately“ bucket. Whether the bug becomes remote code execution in practice depends on the additional primitives an attacker can build on top of the corrupted kernel heap — but kernel-level memory corruption is generally treated as a high-value foothold.
Technical analysis: Asymmetric cleanup between two paths
The root cause is that two independent cleanup paths share the same state but only reset part of it consistently. The briefing summarises this as „asymmetric cleanup logic“ — the same description is reflected in the NVD technical details.
On a regular disconnect, ksmbd invokes session_fd_check(). That routine sets fp->conn = NULL, releases the connection structure, and unbinds the file pointer from the connection. What it does not do: detach the byte-range locks hanging in fp->lock_list from the original conn->lock_list. Their smb_lock->clist entries continue to point into already-freed memory.
Exploitation flow
- 1Client opens a durable file handle over an existing SMB session and acquires byte-range locks.
- 2The session terminates (disconnect, timeout or a deliberate TCP reset); session_fd_check() runs.
- 3session_fd_check() sets fp->conn = NULL and frees the connection structure – the lock list is left orphaned.
- 4The durable scavenger thread runs after the timeout expires and walks conn->lock_list to clean up.
- 5__ksmbd_close_fd() dereferences smb_lock->clist on the already-freed conn->lock_list – use-after-free.
- 6Best case: a kernel crash (denial-of-service). Worst case: controlled memory corruption.
Exploitation requires ksmbd to be active as the SMB server, and the affected share must permit durable handles. Most classic Linux distributions still use Samba (user-space) in default deployments. ksmbd is typically chosen where in-kernel SMB throughput matters — for example NAS appliances, high-performance file servers, or container storage backends.
The NVD entry lists five kernel.org commits that fix the defect across the maintained branches. The patches realign the cleanup paths so that either the locks are removed before the connection structure is freed, or the scavenger thread correctly handles the nulled-out pointer.
Affected kernel versions and patch status
The NVD entry documents several parallel version trees that received the fix. In practice that means: anyone running ksmbd should match the precise distribution kernel against the fix line, rather than just looking at the major version.
| Kernel branch | Affected version range | Status |
|---|---|---|
| 6.6.x (LTS) | from 6.6.32, before 6.7 | Fix available in 6.6-stable line |
| 6.9 – 6.12.x | 6.9 up to but not 6.12.83 | Fixed from 6.12.83 onwards |
| 6.13 – 6.18.x | 6.13 up to but not 6.18.24 | Fixed from 6.18.24 onwards |
| 6.19 – 7.0.x | 6.19 up to but not 7.0.1 | Fixed from 7.0.1 onwards |
| 7.1 | 7.1-rc1 | Fix landed during the -rc cycle |
These ranges come from the NVD entry for CVE-2026-31718 (Source: kernel.org) and the ENISA EUVD-2026-26527 record. Depth of detail is moderate: the CVE text in NVD is condensed; the full patch context lives in the linked kernel.org commits. If your distribution publishes a deviating backport, treat its security advisory as authoritative.
A quick version check on a running system:
# Inspect kernel version and ksmbd module uname -r modinfo ksmbd 2>/dev/null | grep -E '^(filename|version|srcversion)' # Is the server running and listening on 445/TCP? ss -ltnp '( sport = :445 )' systemctl is-active ksmbd 2>/dev/null # Review configured shares and durable-handle options test -f /etc/ksmbd/ksmbd.conf && grep -nE 'durable|share' /etc/ksmbd/ksmbd.conf
Mitigations: What to do now
Because ksmbd is a kernel module, the only clean fix is a kernel upgrade to one of the fixed versions listed above. For systems where an immediate reboot is hard, the attack surface can still be reduced reliably.
Patch the kernel
Upgrade to a fixed kernel provided by your distribution (6.6-stable, 6.12.83, 6.18.24, 7.0.1, 7.1-rc1, or newer) and reboot within a maintenance window.
Disable ksmbd
Where in-kernel SMB is not required: unload the ksmbd module, switch to user-space Samba, and isolate 445/TCP from the server LAN.
Reduce network exposure
Restrict 445/TCP to known internal subnets, block external reachability at the perimeter firewall, and audit administrative access through jump hosts or privileged access tooling.
Review durable handles
Check whether durable handles are actually required on the affected shares in ksmbd.conf. Disabling them removes the concrete trigger path.
Before swapping the kernel on a central file server: snapshot the storage volumes, document the failover path, and rehearse the SMB mount recovery test. Kernel patches rarely cause collateral damage on their own — orphaned sessions and pending locks during reboot, on the other hand, certainly can.
Detection: Spotting ksmbd anomalies
A kernel use-after-free rarely leaves clean traces — neither in the SMB audit log nor in regular application logs. Useful signals are therefore kernel symptoms and connection patterns.
# Filter the kernel trace for ksmbd references journalctl -k --since "7 days ago" | grep -iE 'ksmbd|use-after-free|KASAN|BUG:|general protection' # Look for repeated session-disconnect events journalctl -u ksmbd.service --since "24 hours ago" | grep -iE 'disconnect|durable|scavenger'
On the network side, an attacker who deliberately triggers the bug will typically generate short-lived SMB sessions involving lock operations followed by abrupt disconnects. Such patterns are derivable from flow data or SMB-visibility tooling.
A stable server without visible kernel panics is not proof that the vulnerability has not been exploited. Skilled attackers choose use-after-free primitives that produce no crash artifacts. Do not rely on the absence of symptoms; rely on the patch level of the kernel.
Outlook: What Blackfort customers should check now
CVE-2026-31718 is a textbook example of a kernel-level defect that does not target a broad sweep of internet-exposed systems but does cut deep where it lands: NAS appliances, high-performance file servers, and storage backends behind modern container platforms. Exactly the systems where recovery and maintenance windows take planning.
For your own estate, three questions are decisive: Which hosts actively load ksmbd? Which of those serve clients beyond a controlled management network? And which of them are running a kernel version that sits on the affected side of the fix range?
- NVD entry „CVE-2026-31718“ (Source: kernel.org), published 2026-05-01, modified 2026-05-17
- ENISA EU Vulnerability Database, record EUVD-2026-26527
- kernel.org commits (linked from the NVD entry, five patches across the 6.6, 6.12, 6.18, 7.0 and 7.1-rc stable trees)