CVE-2026-31444

Source
https://cve.org/CVERecord?id=CVE-2026-31444
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31444.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31444
Downstream
Published
2026-04-22T13:53:41.351Z
Modified
2026-06-18T03:56:23.315707136Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
ksmbd: fix use-after-free and NULL deref in smb_grant_oplock()
Details

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free and NULL deref in smbgrantoplock()

smbgrantoplock() has two issues in the oplock publication sequence:

1) opinfo is linked into ci->moplist (via opinfoadd) before addleasegloballist() is called. If addleaseglobal_list() fails (kmalloc returns NULL), the error path frees the opinfo via _freeopinfo() while it is still linked in ci->moplist. Concurrent moplist readers (opinfogetlist, or direct iteration in smbbreakalllevIIoplock) dereference the freed node.

2) opinfo->ofp is assigned after addleasegloballist() publishes the opinfo on the global lease list. A concurrent findsameleasekey() can walk the lease list and dereference opinfo->ofp->fci while ofp is still NULL.

Fix by restructuring the publication sequence to eliminate post-publish failure:

  • Set opinfo->o_fp before any list publication (fixes NULL deref).
  • Preallocate leasetable via allocleasetable() before opinfoadd() so addleaseglobal_list() becomes infallible after publication.
  • Keep the original moplist publication order (opinfoadd before lease list) so concurrent opens via sameclienthaslease() and opinfogetlist() still see the in-flight grant.
  • Use opinfo_put() instead of __freeopinfo() on errout so that the RCU-deferred free path is used.

This also requires splitting addleasegloballist() to take a preallocated leasetable and changing its return type from int to void, since it can no longer fail.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31444.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
302fef75512b2c8329a3f5efab1ae7ba2562387a
Fixed
9e785f004cbc56390479b77375726ea9b0d1a8a6
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
08aa9f3c8cf4d0bee44df540dfe34e8d64069f2c
Fixed
7de55bba69cbf0f9280daaea385daf08bc076121
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1d6abf145615dbfe267ce3b0a271f95e3780e18e
Fixed
a5c6f6d6ceefed2d5210ee420fb75f8362461f46
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ce8507ee82c888126d8e7565e27c016308d24cde
Fixed
6d7e5a918c1d0aad06db0e17677b66fc9a471021
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1dfd062caa165ec9d7ee0823087930f3ab8a6294
Fixed
48623ec358c1c600fa1e38368746f933e0f1a617

Affected versions

v6.*
v6.12.78
v6.12.79
v6.18.19
v6.18.20
v6.19.10
v6.19.9
v6.6.130

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31444.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.6.130
Fixed
6.6.131
Type
ECOSYSTEM
Events
Introduced
6.12.78
Fixed
6.12.80
Type
ECOSYSTEM
Events
Introduced
6.18.19
Fixed
6.18.21
Type
ECOSYSTEM
Events
Introduced
6.19.9
Fixed
6.19.11

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31444.json"