CVE-2026-31476
Published: 22 April 2026
Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: do not expire session on binding failure When a multichannel session binding request fails (e.g. wrong password), the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED. However, during binding, sess…
more
points to the target session looked up via ksmbd_session_lookup_slowpath() -- which belongs to another connection's user. This allows a remote attacker to invalidate any active session by simply sending a binding request with a wrong password (DoS). Fix this by skipping session expiration when the failed request was a binding attempt, since the session does not belong to the current connection. The reference taken by ksmbd_session_lookup_slowpath() is still correctly released via ksmbd_user_session_put().
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the CVE by applying kernel patches that prevent improper session expiration during failed multichannel binding requests.
Ensures error handling in ksmbd binding failures does not unauthorizedly modify session states of other connections, addressing the root flaw.
Provides denial-of-service protections such as rate limiting SMB binding requests to mitigate session exhaustion attacks exploiting this vulnerability.
Security SummaryAI
CVE-2026-31476 is a vulnerability in the Linux kernel's ksmbd module, the kernel-based Samba server implementation. The issue arises during multichannel session binding requests: when such a request fails (for example, due to a wrong password), the error handling path unconditionally sets the state of the target session—looked up via ksmbd_session_lookup_slowpath() from another connection—to SMB2_SESSION_EXPIRED. This flaw affects Linux systems running ksmbd with SMB2/3 multichannel support enabled, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).
A remote, unauthenticated attacker can exploit this vulnerability by sending a malformed multichannel session binding request with invalid credentials to a vulnerable ksmbd instance. The lookup targets an active session belonging to a different connection's user, causing that session to be invalidated without proper ownership checks. This results in a denial-of-service condition, as the attacker can repeatedly expire arbitrary active sessions, disrupting SMB access for legitimate users. The impact focuses primarily on high availability disruption, with minor integrity effects.
Mitigation involves applying the upstream kernel patches referenced in the stable git commits, such as 1d1888b4a7aec518b707f6eca0bf08992c0e8da3, 6fafc4c4238e538969f1375f9ecdc6587c53f1cc, 9bbb19d21ded7d78645506f20d8c44895e3d0fb9, a897064a457056acb976e20e3007cdf553de340f, and e0e5edc81b241c70355217de7e120c97c3429deb. These fixes prevent session expiration specifically during failed binding attempts while correctly releasing the session reference, ensuring the vulnerability is addressed without broader changes to ksmbd session handling. Security practitioners should update to a patched kernel version supporting ksmbd and monitor for exposure in environments using SMB file sharing.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote unauthenticated exploitation of a public-facing SMB server (ksmbd) to cause denial-of-service by expiring arbitrary sessions, directly mapping to T1190 (exploit public-facing application) and T1499.004 (application exploitation for endpoint DoS).