In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc
The kernel ASN.1 BER decoder calls action callbacks incrementally as it walks the input. When ksmbddecodenegTokenInit() reaches the mechToken [2] OCTET STRING element, ksmbdnegtokenalloc() allocates conn->mechToken immediately via kmemdupnul(). If a later element in the same blob is malformed, then the decoder will return nonzero after the allocation is already live. This could happen if mechListMIC [3] overrunse the enclosing SEQUENCE.
decodenegotiationtoken() then sets conn->usespnego = false because both the negTokenInit and negTokenTarg grammars failed. The cleanup at the bottom of smb2sesssetup() is gated on usespnego:
if (conn->use_spnego && conn->mechToken) {
kfree(conn->mechToken);
conn->mechToken = NULL;
}
so the kfree is skipped, causing the mechToken to never be freed.
This codepath is reachable pre-authentication, so untrusted clients can cause slow memory leaks on a server without even being properly authenticated.
Fix this up by not checking check for usespnego, as it's not required, so the memory will always be properly freed. At the same time, always free the memory in ksmbdconn_free() incase some other failure path forgot to free it.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31610.json",
"cna_assigner": "Linux"
}