CVE-2026-31476
Description
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: do not expire session on binding failure
When a multichannel session binding request fails (e.g. wrong password), the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED. However, during binding, sess points to the target session looked up via ksmbd_session_lookup_slowpath() -- which belongs to another connection's user. This allows a remote attacker to invalidate any active session by simply sending a binding request with a wrong password (DoS).
Fix this by skipping session expiration when the failed request was a binding attempt, since the session does not belong to the current connection. The reference taken by ksmbd_session_lookup_slowpath() is still correctly released via ksmbd_user_session_put().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Linux ksmbd, a multichannel session binding failure incorrectly expires any active session, enabling a remote denial-of-service attack.
Root
Cause
In the Linux kernel's ksmbd SMB server, when a multichannel session binding request fails (e.g., due to a wrong password), the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED. However, during binding, the sess pointer refers to the target session looked up via ksmbd_session_lookup_slowpath(), which belongs to another connection's user. This means that a failure in the binding process inadvertently targets a session that is not owned by the requesting connection.
Exploitation
An attacker can exploit this vulnerability by sending a crafted multichannel binding request with an incorrect password to the ksmbd server. No authentication is required because the binding request occurs before session establishment. By doing so, the attacker can cause any active session (looked up via the binding request) to be expired, leading to a denial of service for that session's user.
Impact
Successful exploitation allows a remote, unauthenticated attacker to forcibly expire any active SMB session on the server. This effectively disconnects legitimate users, causing a denial of service. The vulnerability does not require any special privileges or network position beyond the ability to send SMB binding requests to the target server.
Mitigation
The fix is to skip session expiration when the failed request is a binding attempt, as the session does not belong to the current connection. This patch has been applied to the Linux kernel stable tree via commits [1][2][3][4]. Users should update to a patched kernel version.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.15.1,<6.1.168
- cpe:2.3:o:linux:linux_kernel:5.15:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
News mentions
0No linked articles in our index yet.