CVE-2026-31444

Critical

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free and NULL deref in smb_grant_oplock() smb_grant_oplock() has two issues in the oplock publication sequence: 1) opinfo is linked into ci->m_op_list (via opinfo_add) before add_lease_global_list() is called. If add_lease_global_list() fails (kmalloc returns NULL), the error path frees the opinfo via __free_opinfo() while it is still linked in ci->m_op_list. Concurrent m_op_list readers (opinfo_get_list, or direct iteration in smb_break_all_levII_oplock) dereference the freed node. 2) opinfo->o_fp is assigned after add_lease_global_list() publishes the opinfo on the global lease list. A concurrent find_same_lease_key() can walk the lease list and dereference opinfo->o_fp->f_ci while o_fp is still NULL. Fix by restructuring the publication sequence to eliminate post-publish failure: - Set opinfo->o_fp before any list publication (fixes NULL deref). - Preallocate lease_table via alloc_lease_table() before opinfo_add() so add_lease_global_list() becomes infallible after publication. - Keep the original m_op_list publication order (opinfo_add before lease list) so concurrent opens via same_client_has_lease() and opinfo_get_list() still see the in-flight grant. - Use opinfo_put() instead of __free_opinfo() on err_out so that the RCU-deferred free path is used. This also requires splitting add_lease_global_list() to take a preallocated lease_table and changing its return type from int to void, since it can no longer fail.

Package Linux Kernel
Published 2026-04-22
Last modified 2026-05-07
CVSS version 3.1
Patch available
Not yet patched

CVSS 3.1 score

9.8

out of 10
Critical
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness type

CWE-416

CVE-2026-31444 is a Use After Free vulnerability

What is Use After Free?

The product references memory after it has been freed, which may cause it to crash, use unexpected values, or execute code. Learn more on MITRE CWE

Affected versions

Linux kernel versions 6.6.130, 6.12.78, 6.18.19, 6.19.9 and later are affected. No fixed version recorded yet.

Affected from
≥ 6.6.130 ≥ 6.12.78 ≥ 6.18.19 ≥ 6.19.9

References

The following references provide additional information about CVE-2026-31444 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

5 patch commits total View all on NVD

Frequently asked questions

  • What is CVE-2026-31444?

    CVE-2026-31444 is a Critical severity Linux kernel vulnerability with a CVSS score of 9.8 out of 10 , classified as an Use After Free flaw (CWE-416) . It affects Linux kernel versions from 6.6.130 onward . CVE-2026-31444 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

  • What is the CVSS score for CVE-2026-31444?

    CVE-2026-31444 has a CVSS score of 9.8 out of 10, rated Critical severity (CVSS 3.1). The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H .

  • Is there a patch available for CVE-2026-31444?

    No patch is currently available for CVE-2026-31444. Monitor the NIST NVD and your Linux distribution's security advisories for updates.

  • Is CVE-2026-31444 actively exploited?

    No — CVE-2026-31444 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.

  • What is Use After Free (CWE-416)?

    The product references memory after it has been freed, which may cause it to crash, use unexpected values, or execute code. View CWE-416 on MITRE CWE →

Back to
All CVEs
View on
NVD / NIST