CVE-2026-31537 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: smb: server: make use of smbdirect_socket.send_io.bcredits It turns out that our code will corrupt the stream of reassabled data transfer messages when we trigger an immendiate (empty) send. In order to fix this we'll have a single 'batch' credit per connection. And code getting that credit is free to use as much messages until remaining_length reaches 0, then the batch credit it given back and the next logical send can happen.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/34abd408c8ba24d7c97bd02ba874d8c714f49db1
https://git.kernel.org/stable/c/5ef18a2e66f2f33fdac64437bddfb9fe6389fdc7
https://git.kernel.org/stable/c/79242e7b6bc63efec28b7c235bc320806afce6c0

History

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: smb: server: make use of smbdirect_socket.send_io.bcredits It turns out that our code will corrupt the stream of reassabled data transfer messages when we trigger an immendiate (empty) send. In order to fix this we'll have a single 'batch' credit per connection. And code getting that credit is free to use as much messages until remaining_length reaches 0, then the batch credit it given back and the next logical send can happen.
Title		smb: server: make use of smbdirect_socket.send_io.bcredits
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/34abd408c8ba24d7c97bd02ba874d8c714f49db1 https://git.kernel.org/stable/c/5ef18a2e66f2f33fdac64437bddfb9fe6389fdc7 https://git.kernel.org/stable/c/79242e7b6bc63efec28b7c235bc320806afce6c0

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:30:24.907Z

Updated: 2026-04-24T14:30:24.907Z

Reserved: 2026-03-09T15:48:24.113Z

Link: CVE-2026-31537

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-24T15:16:27.633

Modified: 2026-04-24T17:51:40.810

Link: CVE-2026-31537

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31537", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.113Z", "datePublished": "2026-04-24T14:30:24.907Z", "dateUpdated": "2026-04-24T14:30:24.907Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-24T14:30:24.907Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: make use of smbdirect_socket.send_io.bcredits\n\nIt turns out that our code will corrupt the stream of\nreassabled data transfer messages when we trigger an\nimmendiate (empty) send.\n\nIn order to fix this we'll have a single 'batch' credit per\nconnection. And code getting that credit is free to use\nas much messages until remaining_length reaches 0, then\nthe batch credit it given back and the next logical send can\nhappen."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/transport_rdma.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "5ef18a2e66f2f33fdac64437bddfb9fe6389fdc7", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "79242e7b6bc63efec28b7c235bc320806afce6c0", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "34abd408c8ba24d7c97bd02ba874d8c714f49db1", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/transport_rdma.c"], "versions": [{"version": "6.18.11", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.1", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.18.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.19.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5ef18a2e66f2f33fdac64437bddfb9fe6389fdc7"}, {"url": "https://git.kernel.org/stable/c/79242e7b6bc63efec28b7c235bc320806afce6c0"}, {"url": "https://git.kernel.org/stable/c/34abd408c8ba24d7c97bd02ba874d8c714f49db1"}], "title": "smb: server: make use of smbdirect_socket.send_io.bcredits", "x_generator": {"engine": "bippy-1.2.0"}}}}