HOMEVULNERABILITIESCVE-2026-31711
HIGH

CVE-2026-31711

Published: May 1, 2026· Updated: May 6, 2026

7.5
CVSS v3.1
EPSS:0.19%probability of exploitation in 30 daysPercentile:41.0th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

smb: server: fix active_num_conn leak on transport allocation failure

Commit 77ffbcac4e56 ("smb: server: fix leak of active_num_conn in

ksmbd_tcp_new_connection()") addressed the kthread_run() failure

path. The earlier alloc_transport() == NULL path in the same

function has the same leak, is reachable pre-authentication via any

TCP connect to port 445, and was empirically reproduced on UML

(ARCH=um, v7.0-rc7): a small number of forced allocation failures

were sufficient to put ksmbd into a state where every subsequent

connection attempt was rejected for the remainder of the boot.

ksmbd_kthread_fn() increments active_num_conn before calling

ksmbd_tcp_new_connection() and discards the return value, so when

alloc_transport() returns NULL the socket is released and -ENOMEM

returned without decrementing the counter. Each such failure

permanently consumes one slot from the max_connections pool; once

cumulative failures reach the cap, atomic_inc_return() hits the

threshold on every subsequent accept and every new connection is

rejected. The counter is only reset by module reload.

An unauthenticated remote attacker can drive the server toward the

memory pressure that makes alloc_transport() fail by holding open

connections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN

(0x00FFFFFF); natural transient allocation failures on a loaded

host produce the same drift more slowly.

Mirror the existing rollback pattern in ksmbd_kthread_fn(): on the

alloc_transport() failure path, decrement active_num_conn gated on

server_conf.max_connections.

Repro details: with the patch reverted, forced alloc_transport()

NULL returns leaked counter slots and subsequent connection

attempts -- including legitimate connects issued after the

forced-fail window had closed -- were all rejected with "Limit the

maximum number of connections". With this patch applied, the same

connect sequence produces no rejections and the counter cycles

cleanly between zero and one on every accept.

NVD Source

Technical Analysis

CVE-2026-31711 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 7.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 2 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (5)

Quick Facts

CVE IDCVE-2026-31711
CVSS Score7.5 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.19%
Affected1 vendor
PublishedMay 1, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31711 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.