CVE-2026-31476

When a multichannel session binding request fails (e.g. wrong password), the error path unconditionally sets sess->state = SMB2SESSIONEXPIRED. However, during binding, sess points to the target session looked up via ksmbdsessionlookup_slowpath() -- which belongs to another connection's user. This allows a remote attacker to invalidate any active session by simply sending a binding request with a wrong password (DoS).

Fix this by skipping session expiration when the failed request was a binding attempt, since the session does not belong to the current connection. The reference taken by ksmbdsessionlookupslowpath() is still correctly released via ksmbdusersessionput().

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31476.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f5a544e3bab78142207e0242d22442db85ba1eff

Fixed

f5300690c23c5ac860499bb37dbc09cf43fd62e6

Fixed

6fafc4c4238e538969f1375f9ecdc6587c53f1cc

Fixed

1d1888b4a7aec518b707f6eca0bf08992c0e8da3

Fixed

a897064a457056acb976e20e3007cdf553de340f

Fixed

e0e5edc81b241c70355217de7e120c97c3429deb

Fixed

9bbb19d21ded7d78645506f20d8c44895e3d0fb9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31476.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.15.0

Fixed

6.1.168

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.131

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.80

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.21

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.11

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31476.json"