FKIE_CVE-2026-31610

Vulnerability from fkie_nvd - Published: 2026-04-24 15:16 - Updated: 2026-04-24 17:51
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc The kernel ASN.1 BER decoder calls action callbacks incrementally as it walks the input. When ksmbd_decode_negTokenInit() reaches the mechToken [2] OCTET STRING element, ksmbd_neg_token_alloc() allocates conn->mechToken immediately via kmemdup_nul(). If a later element in the same blob is malformed, then the decoder will return nonzero after the allocation is already live. This could happen if mechListMIC [3] overrunse the enclosing SEQUENCE. decode_negotiation_token() then sets conn->use_spnego = false because both the negTokenInit and negTokenTarg grammars failed. The cleanup at the bottom of smb2_sess_setup() is gated on use_spnego: if (conn->use_spnego && conn->mechToken) { kfree(conn->mechToken); conn->mechToken = NULL; } so the kfree is skipped, causing the mechToken to never be freed. This codepath is reachable pre-authentication, so untrusted clients can cause slow memory leaks on a server without even being properly authenticated. Fix this up by not checking check for use_spnego, as it's not required, so the memory will always be properly freed. At the same time, always free the memory in ksmbd_conn_free() incase some other failure path forgot to free it.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/269c800a7a7e363459291885b35f7bc72e231ed6
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6c8c44e6553b9f072f62d9875e567766eb293162
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/dd53414e301beb915fe672dc4c4a51bafb917604
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/dd577cb55588ec3fbc66af3621280306601c4192
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix mechToken leak when SPNEGO decode fails after token alloc\n\nThe kernel ASN.1 BER decoder calls action callbacks incrementally as it\nwalks the input.  When ksmbd_decode_negTokenInit() reaches the mechToken\n[2] OCTET STRING element, ksmbd_neg_token_alloc() allocates\nconn-\u003emechToken immediately via kmemdup_nul().  If a later element in\nthe same blob is malformed, then the decoder will return nonzero after\nthe allocation is already live.  This could happen if mechListMIC [3]\noverrunse the enclosing SEQUENCE.\n\ndecode_negotiation_token() then sets conn-\u003euse_spnego = false because\nboth the negTokenInit and negTokenTarg grammars failed.  The cleanup at\nthe bottom of smb2_sess_setup() is gated on use_spnego:\n\n\tif (conn-\u003euse_spnego \u0026\u0026 conn-\u003emechToken) {\n\t\tkfree(conn-\u003emechToken);\n\t\tconn-\u003emechToken = NULL;\n\t}\n\nso the kfree is skipped, causing the mechToken to never be freed.\n\nThis codepath is reachable pre-authentication, so untrusted clients can\ncause slow memory leaks on a server without even being properly\nauthenticated.\n\nFix this up by not checking check for use_spnego, as it\u0027s not required,\nso the memory will always be properly freed.  At the same time, always\nfree the memory in ksmbd_conn_free() incase some other failure path\nforgot to free it."
    }
  ],
  "id": "CVE-2026-31610",
  "lastModified": "2026-04-24T17:51:40.810",
  "metrics": {},
  "published": "2026-04-24T15:16:40.257",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/269c800a7a7e363459291885b35f7bc72e231ed6"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6c8c44e6553b9f072f62d9875e567766eb293162"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/dd53414e301beb915fe672dc4c4a51bafb917604"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/dd577cb55588ec3fbc66af3621280306601c4192"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.