CVE-2026-31610

Vulnerability

In the Linux kernel's ksmbd (SMB server), a memory leak vulnerability exists in the SPNEGO negotiation handling. The kernel ASN.1 BER decoder calls action callbacks incrementally as it processes the input. When ksmbd_decode_negTokenInit() reaches the mechToken [2] OCTET STRING element, ksmbd_neg_token_alloc() allocates conn->mechToken via kmemdup_nul(). If a later element in the same blob is malformed (e.g., mechListMIC [3] overruns the enclosing SEQUENCE), the decoder returns nonzero after the allocation is already live. The cleanup code in decode_negotiation_token() sets conn->use_spnego = false because both grammars failed, and the subsequent free in smb2_sess_setup() is gated on conn->use_spnego, causing the allocated mechToken to never be freed [1][2][3][4].

Exploitation

This codepath is reachable pre-authentication, meaning an untrusted client can trigger the leak without any prior authentication. By sending a crafted SPNEGO blob that passes the initial token allocation but fails later in the decoding, an attacker can cause repeated memory allocations that are never freed. No special network position is required beyond the ability to connect to the SMB server.

Impact

The vulnerability results in a slow memory leak on the server. Over time, repeated exploitation can exhaust system memory, leading to denial of service (DoS) for legitimate users. The leak is per-session, so an attacker can amplify the effect by opening many connections.

Mitigation

The fix, applied to multiple stable kernel branches [1][2][3][4], removes the use_spnego check from the cleanup path, ensuring mechToken is always freed when the session setup fails. Additionally, the memory is now freed in ksmbd_conn_free() as a safety net for any other failure paths. Users should update their kernels to include the patched commits.