CVE-2026-31477 (GCVE-0-2026-31477)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-22 13:54
VLAI?
Title
ksmbd: fix memory leaks and NULL deref in smb2_lock()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix memory leaks and NULL deref in smb2_lock()
smb2_lock() has three error handling issues after list_del() detaches
smb_lock from lock_list at no_check_cl:
1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK
path, goto out leaks smb_lock and its flock because the out:
handler only iterates lock_list and rollback_list, neither of
which contains the detached smb_lock.
2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out
leaks smb_lock and flock for the same reason. The error code
returned to the dispatcher is also stale.
3) In the rollback path, smb_flock_init() can return NULL on
allocation failure. The result is dereferenced unconditionally,
causing a kernel NULL pointer dereference. Add a NULL check to
prevent the crash and clean up the bookkeeping; the VFS lock
itself cannot be rolled back without the allocation and will be
released at file or connection teardown.
Fix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before
the if(!rc) check in the UNLOCK branch so all exit paths share one
free site, and by freeing smb_lock and flock before goto out in the
non-UNLOCK branch. Propagate the correct error code in both cases.
Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding
a NULL check for locks_free_lock(rlock) in the shared cleanup.
Found via call-graph analysis using sqry.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < cdac6f7e7e428dc70e3b5898ac6999a72ed13993
(git)
Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < c9b95ef6f5039f19e46c3a521a4fe1752d91dfe9 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 91aeaa7256006d79a37298f5a1df23325db91599 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 3cdacd11b41569ce75b3162142240f2355e04900 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < aab42f0795620cf0d3955a520f571f697d0f9a2a (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 309b44ed684496ed3f9c5715d10b899338623512 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cdac6f7e7e428dc70e3b5898ac6999a72ed13993",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "c9b95ef6f5039f19e46c3a521a4fe1752d91dfe9",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "91aeaa7256006d79a37298f5a1df23325db91599",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "3cdacd11b41569ce75b3162142240f2355e04900",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "aab42f0795620cf0d3955a520f571f697d0f9a2a",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "309b44ed684496ed3f9c5715d10b899338623512",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix memory leaks and NULL deref in smb2_lock()\n\nsmb2_lock() has three error handling issues after list_del() detaches\nsmb_lock from lock_list at no_check_cl:\n\n1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK\n path, goto out leaks smb_lock and its flock because the out:\n handler only iterates lock_list and rollback_list, neither of\n which contains the detached smb_lock.\n\n2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out\n leaks smb_lock and flock for the same reason. The error code\n returned to the dispatcher is also stale.\n\n3) In the rollback path, smb_flock_init() can return NULL on\n allocation failure. The result is dereferenced unconditionally,\n causing a kernel NULL pointer dereference. Add a NULL check to\n prevent the crash and clean up the bookkeeping; the VFS lock\n itself cannot be rolled back without the allocation and will be\n released at file or connection teardown.\n\nFix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before\nthe if(!rc) check in the UNLOCK branch so all exit paths share one\nfree site, and by freeing smb_lock and flock before goto out in the\nnon-UNLOCK branch. Propagate the correct error code in both cases.\nFix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding\na NULL check for locks_free_lock(rlock) in the shared cleanup.\n\nFound via call-graph analysis using sqry."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:54:05.470Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cdac6f7e7e428dc70e3b5898ac6999a72ed13993"
},
{
"url": "https://git.kernel.org/stable/c/c9b95ef6f5039f19e46c3a521a4fe1752d91dfe9"
},
{
"url": "https://git.kernel.org/stable/c/91aeaa7256006d79a37298f5a1df23325db91599"
},
{
"url": "https://git.kernel.org/stable/c/3cdacd11b41569ce75b3162142240f2355e04900"
},
{
"url": "https://git.kernel.org/stable/c/aab42f0795620cf0d3955a520f571f697d0f9a2a"
},
{
"url": "https://git.kernel.org/stable/c/309b44ed684496ed3f9c5715d10b899338623512"
}
],
"title": "ksmbd: fix memory leaks and NULL deref in smb2_lock()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31477",
"datePublished": "2026-04-22T13:54:05.470Z",
"dateReserved": "2026-03-09T15:48:24.098Z",
"dateUpdated": "2026-04-22T13:54:05.470Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-31477\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-04-22T14:16:44.440\",\"lastModified\":\"2026-04-22T14:16:44.440\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nksmbd: fix memory leaks and NULL deref in smb2_lock()\\n\\nsmb2_lock() has three error handling issues after list_del() detaches\\nsmb_lock from lock_list at no_check_cl:\\n\\n1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK\\n path, goto out leaks smb_lock and its flock because the out:\\n handler only iterates lock_list and rollback_list, neither of\\n which contains the detached smb_lock.\\n\\n2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out\\n leaks smb_lock and flock for the same reason. The error code\\n returned to the dispatcher is also stale.\\n\\n3) In the rollback path, smb_flock_init() can return NULL on\\n allocation failure. The result is dereferenced unconditionally,\\n causing a kernel NULL pointer dereference. Add a NULL check to\\n prevent the crash and clean up the bookkeeping; the VFS lock\\n itself cannot be rolled back without the allocation and will be\\n released at file or connection teardown.\\n\\nFix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before\\nthe if(!rc) check in the UNLOCK branch so all exit paths share one\\nfree site, and by freeing smb_lock and flock before goto out in the\\nnon-UNLOCK branch. Propagate the correct error code in both cases.\\nFix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding\\na NULL check for locks_free_lock(rlock) in the shared cleanup.\\n\\nFound via call-graph analysis using sqry.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/309b44ed684496ed3f9c5715d10b899338623512\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3cdacd11b41569ce75b3162142240f2355e04900\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/91aeaa7256006d79a37298f5a1df23325db91599\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/aab42f0795620cf0d3955a520f571f697d0f9a2a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c9b95ef6f5039f19e46c3a521a4fe1752d91dfe9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cdac6f7e7e428dc70e3b5898ac6999a72ed13993\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…