CVE-2026-31717 (GCVE-0-2026-31717)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:56 – Updated: 2026-06-14 17:44
VLAI?
Title
ksmbd: validate owner of durable handle on reconnect
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: validate owner of durable handle on reconnect
Currently, ksmbd does not verify if the user attempting to reconnect
to a durable handle is the same user who originally opened the file.
This allows any authenticated user to hijack an orphaned durable handle
by predicting or brute-forcing the persistent ID.
According to MS-SMB2, the server MUST verify that the SecurityContext
of the reconnect request matches the SecurityContext associated with
the existing open.
Add a durable_owner structure to ksmbd_file to store the original opener's
UID, GID, and account name. and catpure the owner information when a file
handle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner()
to validate the identity of the requester during SMB2_CREATE (DHnC).
Severity ?
8.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8df4bcdb0a4232192b2445256c39b787d58ef14d , < 712cdf917e77a6444ce3836874829d770db20ee6
(git)
Affected: c8efcc786146a951091588e5fa7e3c754850cb3c , < c7f0f0d01c88bdcb8b1694d7d321670013f7ed7d (git) Affected: c8efcc786146a951091588e5fa7e3c754850cb3c , < 00ce8d6789dae72d042a4522264964c72891ca37 (git) Affected: c8efcc786146a951091588e5fa7e3c754850cb3c , < c908c853f304a4969b5aa10eba0b50350cc65b80 (git) Affected: c8efcc786146a951091588e5fa7e3c754850cb3c , < 49110a8ce654bbe56bef7c5e44cce31f4b102b8a (git) Affected: 6.6.32 , < 6.6.142 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c",
"fs/smb/server/oplock.c",
"fs/smb/server/oplock.h",
"fs/smb/server/smb2pdu.c",
"fs/smb/server/vfs_cache.c",
"fs/smb/server/vfs_cache.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "712cdf917e77a6444ce3836874829d770db20ee6",
"status": "affected",
"version": "8df4bcdb0a4232192b2445256c39b787d58ef14d",
"versionType": "git"
},
{
"lessThan": "c7f0f0d01c88bdcb8b1694d7d321670013f7ed7d",
"status": "affected",
"version": "c8efcc786146a951091588e5fa7e3c754850cb3c",
"versionType": "git"
},
{
"lessThan": "00ce8d6789dae72d042a4522264964c72891ca37",
"status": "affected",
"version": "c8efcc786146a951091588e5fa7e3c754850cb3c",
"versionType": "git"
},
{
"lessThan": "c908c853f304a4969b5aa10eba0b50350cc65b80",
"status": "affected",
"version": "c8efcc786146a951091588e5fa7e3c754850cb3c",
"versionType": "git"
},
{
"lessThan": "49110a8ce654bbe56bef7c5e44cce31f4b102b8a",
"status": "affected",
"version": "c8efcc786146a951091588e5fa7e3c754850cb3c",
"versionType": "git"
},
{
"lessThan": "6.6.142",
"status": "affected",
"version": "6.6.32",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c",
"fs/smb/server/oplock.c",
"fs/smb/server/oplock.h",
"fs/smb/server/smb2pdu.c",
"fs/smb/server/vfs_cache.c",
"fs/smb/server/vfs_cache.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "6.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate owner of durable handle on reconnect\n\nCurrently, ksmbd does not verify if the user attempting to reconnect\nto a durable handle is the same user who originally opened the file.\nThis allows any authenticated user to hijack an orphaned durable handle\nby predicting or brute-forcing the persistent ID.\n\nAccording to MS-SMB2, the server MUST verify that the SecurityContext\nof the reconnect request matches the SecurityContext associated with\nthe existing open.\nAdd a durable_owner structure to ksmbd_file to store the original opener\u0027s\nUID, GID, and account name. and catpure the owner information when a file\nhandle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner()\nto validate the identity of the requester during SMB2_CREATE (DHnC)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:44:27.892Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/712cdf917e77a6444ce3836874829d770db20ee6"
},
{
"url": "https://git.kernel.org/stable/c/c7f0f0d01c88bdcb8b1694d7d321670013f7ed7d"
},
{
"url": "https://git.kernel.org/stable/c/00ce8d6789dae72d042a4522264964c72891ca37"
},
{
"url": "https://git.kernel.org/stable/c/c908c853f304a4969b5aa10eba0b50350cc65b80"
},
{
"url": "https://git.kernel.org/stable/c/49110a8ce654bbe56bef7c5e44cce31f4b102b8a"
}
],
"title": "ksmbd: validate owner of durable handle on reconnect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31717",
"datePublished": "2026-05-01T13:56:12.012Z",
"dateReserved": "2026-03-09T15:48:24.134Z",
"dateUpdated": "2026-06-14T17:44:27.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…