CVE-2026-31613

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB reads parsing symlink error response When a CREATE returns STATUSSTOPPEDONSYMLINK, smb2checkmessage returns success without any length validation, leaving the symlink parsers as the only defense against an...

CVE-2026-31613

The CVE-2026-31613 issue affects the Linux kernel SMB client. A crafted symlink error response from a remote SMB server can trigger an out-of-bounds read during symlink parsing, allowing UTF-16 data to be read via readlink(2). Root cause: smb2_check_message() accepts a CREATE status without valid...

CVE-2026-31612

In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate EaNameLength in smb2getea smb2getea reads eareq-EaNameLength from the client request and passes it directly to strncmp as the comparison length without verifying that the length of the name really is the size of t...

CVE-2026-31609

In the Linux kernel, the following vulnerability has been resolved: smb: client: avoid double-free in smbdfreesendio after smbdsendbatchflush smbdsendbatchflush already calls smbdfreesendio, so we should not call it again after smbdpostsend moved it to the batch list...

CVE-2026-31609

CVE-2026-31609 affects the Linux kernel SMB client; the double-free occurs in smbd_free_send_io() after smbd_send_batch_flush() because smbd_send_batch_flush() already frees via smbd_free_send_io() and has been moved to the batch list. The issue has been addressed in multiple advisories and patch...

EUVD-2026-25502

In the Linux kernel, the following vulnerability has been resolved: smb: client: avoid double-free in smbdfreesendio after smbdsendbatchflush smbdsendbatchflush already calls smbdfreesendio, so we should not call it again after smbdpostsend moved it to the batch list...

CVE-2026-31608

In the Linux kernel, the following vulnerability has been resolved: smb: server: avoid double-free in smbdirectfreesendmsg after smbdirectflushsendlist smbdirectflushsendlist already calls smbdirectfreesendmsg, so we should not call it again after postsendmsg moved it to the batch list...

CVE-2026-31536

In the Linux kernel, the following vulnerability has been resolved: smb: server: let senddone handle a completion without IBSENDSIGNALED With smbdirectsendbatch processing we likely have requests without IBSENDSIGNALED, which will be destroyed in the final request that has IBSENDSIGNALED set. If...

CVE-2026-31535 smb: client: make use of smbdirect_socket.recv_io.credits.available

In the Linux kernel, the following vulnerability has been resolved: smb: client: make use of smbdirectsocket.recvio.credits.available The logic off managing recv credits by counting posted recvio and granted credits is racy. That's because the peer might already consumed a credit, but between...

CVE-2026-31535

Summary: CVE-2026-31535 affects the Linux kernel SMB client receive credit management. A race in handling smbdirect_socket.recv_io.credits.available can cause over- or under-counted credits, potentially destabilizing the SMB receive path. The root cause is a window where a peer might have consume...

CVE-2026-31535

In the Linux kernel, the following vulnerability has been resolved: smb: client: make use of smbdirectsocket.recvio.credits.available The logic off managing recv credits by counting posted recvio and granted credits is racy. That's because the peer might already consumed a credit, but between...

CVE-2026-31534

CVE-2026-31534 affects the Linux kernel SMB client logic. In smbdirect_send_batch processing, requests may exist without the IB_SEND_SIGNALED flag and could be destroyed by the final request that carries IB_SEND_SIGNALED. If the connection is broken, all outstanding requests are signaled even wit...

Linux kernel 安全漏洞

The Linux kernel is the kernel used by the Linux operating system developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the lack of verification of EaNameLength in smb2getea, potentially leading to the leakage of...

PT-2026-34886

In the Linux kernel, the following vulnerability has been resolved: smb: client: let send done handle a completion without IB SEND SIGNALED With smbdirect send batch processing we likely have requests without IB SEND SIGNALED, which will be destroyed in the final request that has IB SEND SIGNALED...

PT-2026-34887

In the Linux kernel, the following vulnerability has been resolved: smb: client: make use of smbdirect socket.recv io.credits.available The logic off managing recv credits by counting posted recv io and granted credits is racy. That's because the peer might already consumed a credit, but between...

PT-2026-34960

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A double-free issue exists in the SMB server component. The function smb direct flush send list already invokes smb direct free sendmsg, leading to a second call to smb direct free sendm...

PT-2026-34965

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the SMB client when parsing symlink error responses. When a CREATE request returns STATUS STOPPED ON SYMLINK, the smb2 check message function returns success without...

PT-2026-34963

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description In the ksmbd module, the parse dacl function compares each Access Control Entry ACE Security Identifier SID against sid unix NFS mode. If sid unix NFS mode is the prefix S-1-5-88-3 with...

ksmbd: fix use-after-free and NULL deref in smb_grant_oplock()

...

CVE-2026-31476

A flaw was found in ksmbd in the Linux kernel. A remote attacker can exploit this vulnerability by sending a multichannel session binding request with an incorrect password. This improper handling of failed binding requests can cause an active session to expire, leading to a Denial of Service DoS...