CVE-2026-31610

Source
https://cve.org/CVERecord?id=CVE-2026-31610
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31610.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31610
Downstream
Related
Published
2026-04-24T14:42:31.471Z
Modified
2026-06-18T03:55:06.238581629Z
Summary
ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc
Details

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc

The kernel ASN.1 BER decoder calls action callbacks incrementally as it walks the input. When ksmbddecodenegTokenInit() reaches the mechToken [2] OCTET STRING element, ksmbdnegtokenalloc() allocates conn->mechToken immediately via kmemdupnul(). If a later element in the same blob is malformed, then the decoder will return nonzero after the allocation is already live. This could happen if mechListMIC [3] overrunse the enclosing SEQUENCE.

decodenegotiationtoken() then sets conn->usespnego = false because both the negTokenInit and negTokenTarg grammars failed. The cleanup at the bottom of smb2sesssetup() is gated on usespnego:

if (conn->use_spnego && conn->mechToken) {
    kfree(conn->mechToken);
    conn->mechToken = NULL;
}

so the kfree is skipped, causing the mechToken to never be freed.

This codepath is reachable pre-authentication, so untrusted clients can cause slow memory leaks on a server without even being properly authenticated.

Fix this up by not checking check for usespnego, as it's not required, so the memory will always be properly freed. At the same time, always free the memory in ksmbdconn_free() incase some other failure path forgot to free it.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31610.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fad4161b5cd01a24202234976ebbb133f7adc0b5
Fixed
745a535461bbb90a56d9357573c9f97a5c12abe1
Fixed
dd577cb55588ec3fbc66af3621280306601c4192
Fixed
dd53414e301beb915fe672dc4c4a51bafb917604
Fixed
269c800a7a7e363459291885b35f7bc72e231ed6
Fixed
6c8c44e6553b9f072f62d9875e567766eb293162
Fixed
ad0057fb91218914d6c98268718ceb9d59b388e1

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31610.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.15.0
Fixed
6.6.136
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.83
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.24
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.14
Type
ECOSYSTEM
Events
Introduced
6.20.0
Fixed
7.0.1

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31610.json"