{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31409", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.087Z", "datePublished": "2026-04-06T07:38:21.223Z", "dateUpdated": "2026-04-06T07:38:21.223Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-06T07:38:21.223Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: unset conn->binding on failed binding request\n\nWhen a multichannel SMB2_SESSION_SETUP request with\nSMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true\nbut never clears it on the error path. This leaves the connection in\na binding state where all subsequent ksmbd_session_lookup_all() calls\nfall back to the global sessions table. This fix it by clearing\nconn->binding = false in the error path."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/smb2pdu.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "d073870dab8f6dadced81d13d273ff0b21cb7f4e", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "6ebef4a220a1ebe345de899ebb9ae394206fe921", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "89afe5e2dbea6e9d8e5f11324149d06fa3a4efca", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "6260fc85ed1298a71d24a75d01f8b2e56d489a60", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "282343cf8a4a5a3603b1cb0e17a7083e4a593b03", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/smb2pdu.c"], "versions": [{"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d073870dab8f6dadced81d13d273ff0b21cb7f4e"}, {"url": "https://git.kernel.org/stable/c/6ebef4a220a1ebe345de899ebb9ae394206fe921"}, {"url": "https://git.kernel.org/stable/c/89afe5e2dbea6e9d8e5f11324149d06fa3a4efca"}, {"url": "https://git.kernel.org/stable/c/9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772"}, {"url": "https://git.kernel.org/stable/c/6260fc85ed1298a71d24a75d01f8b2e56d489a60"}, {"url": "https://git.kernel.org/stable/c/282343cf8a4a5a3603b1cb0e17a7083e4a593b03"}], "title": "ksmbd: unset conn->binding on failed binding request", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: unset conn->binding on failed binding request\n\nWhen a multichannel SMB2_SESSION_SETUP request with\nSMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true\nbut never clears it on the error path. This leaves the connection in\na binding state where all subsequent ksmbd_session_lookup_all() calls\nfall back to the global sessions table. This fix it by clearing\nconn->binding = false in the error path."}], "id": "CVE-2026-31409", "lastModified": "2026-04-07T13:20:35.010", "metrics": {}, "published": "2026-04-06T08:16:38.943", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/282343cf8a4a5a3603b1cb0e17a7083e4a593b03"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6260fc85ed1298a71d24a75d01f8b2e56d489a60"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6ebef4a220a1ebe345de899ebb9ae394206fe921"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/89afe5e2dbea6e9d8e5f11324149d06fa3a4efca"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d073870dab8f6dadced81d13d273ff0b21cb7f4e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: ksmbd: unset conn->binding on failed binding request", "id": "2455337", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455337"}, "csaw": false, "cwe": "CWE-390", "details": ["A flaw was found in ksmbd, a component of the Linux kernel. This vulnerability occurs when a multichannel Server Message Block (SMB2) session setup request, specifically one with a binding flag, fails. Due to an error in handling this failure, ksmbd incorrectly retains a binding state for the connection. This can lead to all subsequent session lookups falling back to a global sessions table, potentially causing unexpected session management and service disruption."], "name": "CVE-2026-31409", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31409\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31409\nhttps://lore.kernel.org/linux-cve-announce/2026040629-CVE-2026-31409-d22c@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d073870dab8f6dadced81d13d273ff0b21cb7f4e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6ebef4a220a1ebe345de899ebb9ae394206fe921)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,89afe5e2dbea6e9d8e5f11324149d06fa3a4efca)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6260fc85ed1298a71d24a75d01f8b2e56d489a60)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,282343cf8a4a5a3603b1cb0e17a7083e4a593b03)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-07T02:29:28.424749+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the ksmbd binding fix"], "summary": {"action": "Apply Patch", "impact": "Improper session lookup due to lingering binding flag"}, "threat_synthesis": {"affected_systems": "The flaw resides in the ksmbd component of the Linux kernel and therefore affects any Linux system that ships with an unpatched kernel version containing this component. The published CPE indicates a generic Linux kernel cover; no specific v5.xx or v6.xx range is listed, so the issue applies to all kernels that have not incorporated the patch that clears the binding flag.", "description_and_impact": "In the Linux kernel\u2019s SMB server component, a failure in handling a multichannel SMB2 session setup can leave the connection\u2019s binding flag set. The code that processes a failed request does not clear this flag, resulting in a connection that remains in a binding state. Subsequent session lookup calls fall back to using the global session table instead of the per-connection context, which is erroneous behavior for the kernel\u2019s SMB implementation.", "risk_and_exploitability": "The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting a low probability of exploitation. While the description does not explicitly state an attack vector, the fix addresses behavior triggered by malformed or failed SMB2 session setup packets, implying that exposing a running ksmbd service to SMB traffic could present a potential exploitation path. However, no explicit exploitation details, such as authentication bypass or code execution, are provided in the input."}}}}, "created": "2026-04-06T20:14:53.318914+00:00", "updated": "2026-04-07T06:55:02.787265+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}