In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free and NULL deref in smbgrantoplock()
smbgrantoplock() has two issues in the oplock publication sequence:
1) opinfo is linked into ci->moplist (via opinfoadd) before addleasegloballist() is called. If addleaseglobal_list() fails (kmalloc returns NULL), the error path frees the opinfo via _freeopinfo() while it is still linked in ci->moplist. Concurrent moplist readers (opinfogetlist, or direct iteration in smbbreakalllevIIoplock) dereference the freed node.
2) opinfo->ofp is assigned after addleasegloballist() publishes the opinfo on the global lease list. A concurrent findsameleasekey() can walk the lease list and dereference opinfo->ofp->fci while ofp is still NULL.
Fix by restructuring the publication sequence to eliminate post-publish failure:
This also requires splitting addleasegloballist() to take a preallocated leasetable and changing its return type from int to void, since it can no longer fail.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31444.json"
}