{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31610","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.122Z","datePublished":"2026-04-24T14:42:31.471Z","dateUpdated":"2026-05-11T22:12:08.314Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:12:08.314Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix mechToken leak when SPNEGO decode fails after token alloc\n\nThe kernel ASN.1 BER decoder calls action callbacks incrementally as it\nwalks the input.  When ksmbd_decode_negTokenInit() reaches the mechToken\n[2] OCTET STRING element, ksmbd_neg_token_alloc() allocates\nconn->mechToken immediately via kmemdup_nul().  If a later element in\nthe same blob is malformed, then the decoder will return nonzero after\nthe allocation is already live.  This could happen if mechListMIC [3]\noverrunse the enclosing SEQUENCE.\n\ndecode_negotiation_token() then sets conn->use_spnego = false because\nboth the negTokenInit and negTokenTarg grammars failed.  The cleanup at\nthe bottom of smb2_sess_setup() is gated on use_spnego:\n\n\tif (conn->use_spnego && conn->mechToken) {\n\t\tkfree(conn->mechToken);\n\t\tconn->mechToken = NULL;\n\t}\n\nso the kfree is skipped, causing the mechToken to never be freed.\n\nThis codepath is reachable pre-authentication, so untrusted clients can\ncause slow memory leaks on a server without even being properly\nauthenticated.\n\nFix this up by not checking check for use_spnego, as it's not required,\nso the memory will always be properly freed.  At the same time, always\nfree the memory in ksmbd_conn_free() incase some other failure path\nforgot to free it."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/server/connection.c","fs/smb/server/smb2pdu.c"],"versions":[{"version":"fad4161b5cd01a24202234976ebbb133f7adc0b5","lessThan":"745a535461bbb90a56d9357573c9f97a5c12abe1","status":"affected","versionType":"git"},{"version":"fad4161b5cd01a24202234976ebbb133f7adc0b5","lessThan":"dd577cb55588ec3fbc66af3621280306601c4192","status":"affected","versionType":"git"},{"version":"fad4161b5cd01a24202234976ebbb133f7adc0b5","lessThan":"dd53414e301beb915fe672dc4c4a51bafb917604","status":"affected","versionType":"git"},{"version":"fad4161b5cd01a24202234976ebbb133f7adc0b5","lessThan":"269c800a7a7e363459291885b35f7bc72e231ed6","status":"affected","versionType":"git"},{"version":"fad4161b5cd01a24202234976ebbb133f7adc0b5","lessThan":"6c8c44e6553b9f072f62d9875e567766eb293162","status":"affected","versionType":"git"},{"version":"fad4161b5cd01a24202234976ebbb133f7adc0b5","lessThan":"ad0057fb91218914d6c98268718ceb9d59b388e1","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/server/connection.c","fs/smb/server/smb2pdu.c"],"versions":[{"version":"5.15","status":"affected"},{"version":"0","lessThan":"5.15","status":"unaffected","versionType":"semver"},{"version":"6.6.136","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.83","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.24","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.14","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0.1","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1-rc1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.6.136"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.12.83"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.18.24"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.19.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"7.0.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"7.1-rc1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/745a535461bbb90a56d9357573c9f97a5c12abe1"},{"url":"https://git.kernel.org/stable/c/dd577cb55588ec3fbc66af3621280306601c4192"},{"url":"https://git.kernel.org/stable/c/dd53414e301beb915fe672dc4c4a51bafb917604"},{"url":"https://git.kernel.org/stable/c/269c800a7a7e363459291885b35f7bc72e231ed6"},{"url":"https://git.kernel.org/stable/c/6c8c44e6553b9f072f62d9875e567766eb293162"},{"url":"https://git.kernel.org/stable/c/ad0057fb91218914d6c98268718ceb9d59b388e1"}],"title":"ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc","x_generator":{"engine":"bippy-1.2.0"}}}}