In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free in __ksmbdclosefd() via durable scavenger
When a durable file handle survives session disconnect (TCP close without SMB2LOGOFF), sessionfdcheck() sets fp->conn = NULL to preserve the handle for later reconnection. However, it did not clean up the byte-range locks on fp->locklist.
Later, when the durable scavenger thread times out and calls __ksmbdclosefd(NULL, fp), the lock cleanup loop did:
spin_lock(&fp->conn->llist_lock);
This caused a slab use-after-free because fp->conn was NULL and the original connection object had already been freed by ksmbdtcpdisconnect().
The root cause is asymmetric cleanup: lock entries (smblock->clist) were left dangling on the freed conn->locklist while fp->conn was nulled out.
To fix this issue properly, we need to handle the lifetime of smblock->clist across three paths: - Safely skip clist deletion when list is empty and fp->conn is NULL. - Remove the lock from the old connection's locklist in sessionfdcheck() - Re-add the lock to the new connection's locklist in ksmbdreopendurablefd().
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31718.json"
}