CVE-2026-31476 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: ksmbd: do not expire session on binding failure When a multichannel session binding request fails (e.g. wrong password), the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED. However, during binding, sess points to the target session looked up via ksmbd_session_lookup_slowpath() -- which belongs to another connection's user. This allows a remote attacker to invalidate any active session by simply sending a binding request with a wrong password (DoS). Fix this by skipping session expiration when the failed request was a binding attempt, since the session does not belong to the current connection. The reference taken by ksmbd_session_lookup_slowpath() is still correctly released via ksmbd_user_session_put().

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Linux	Linux Kernel

References

Link	Providers
https://git.kernel.org/stable/c/1d1888b4a7aec518b707f6eca0bf08992c0e8da3
https://git.kernel.org/stable/c/6fafc4c4238e538969f1375f9ecdc6587c53f1cc
https://git.kernel.org/stable/c/9bbb19d21ded7d78645506f20d8c44895e3d0fb9
https://git.kernel.org/stable/c/a897064a457056acb976e20e3007cdf553de340f
https://git.kernel.org/stable/c/e0e5edc81b241c70355217de7e120c97c3429deb
https://git.kernel.org/stable/c/f5300690c23c5ac860499bb37dbc09cf43fd62e6

History

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ksmbd: do not expire session on binding failure When a multichannel session binding request fails (e.g. wrong password), the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED. However, during binding, sess points to the target session looked up via ksmbd_session_lookup_slowpath() -- which belongs to another connection's user. This allows a remote attacker to invalidate any active session by simply sending a binding request with a wrong password (DoS). Fix this by skipping session expiration when the failed request was a binding attempt, since the session does not belong to the current connection. The reference taken by ksmbd_session_lookup_slowpath() is still correctly released via ksmbd_user_session_put().
Title		ksmbd: do not expire session on binding failure
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1d1888b4a7aec518b707f6eca0bf08992c0e8da3 https://git.kernel.org/stable/c/6fafc4c4238e538969f1375f9ecdc6587c53f1cc https://git.kernel.org/stable/c/9bbb19d21ded7d78645506f20d8c44895e3d0fb9 https://git.kernel.org/stable/c/a897064a457056acb976e20e3007cdf553de340f https://git.kernel.org/stable/c/e0e5edc81b241c70355217de7e120c97c3429deb https://git.kernel.org/stable/c/f5300690c23c5ac860499bb37dbc09cf43fd62e6

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-22T13:54:04.779Z

Updated: 2026-04-22T13:54:04.779Z

Reserved: 2026-03-09T15:48:24.098Z

Link: CVE-2026-31476

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-22T14:16:44.337

Modified: 2026-04-22T14:16:44.337

Link: CVE-2026-31476

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T17:00:11Z

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object