GHSA-G5HW-V48Q-45PV

Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-04-24 15:32
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc

The kernel ASN.1 BER decoder calls action callbacks incrementally as it walks the input. When ksmbd_decode_negTokenInit() reaches the mechToken [2] OCTET STRING element, ksmbd_neg_token_alloc() allocates conn->mechToken immediately via kmemdup_nul(). If a later element in the same blob is malformed, then the decoder will return nonzero after the allocation is already live. This could happen if mechListMIC [3] overrunse the enclosing SEQUENCE.

decode_negotiation_token() then sets conn->use_spnego = false because both the negTokenInit and negTokenTarg grammars failed. The cleanup at the bottom of smb2_sess_setup() is gated on use_spnego:

if (conn->use_spnego && conn->mechToken) {
    kfree(conn->mechToken);
    conn->mechToken = NULL;
}

so the kfree is skipped, causing the mechToken to never be freed.

This codepath is reachable pre-authentication, so untrusted clients can cause slow memory leaks on a server without even being properly authenticated.

Fix this up by not checking check for use_spnego, as it's not required, so the memory will always be properly freed. At the same time, always free the memory in ksmbd_conn_free() incase some other failure path forgot to free it.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-31610"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T15:16:40Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix mechToken leak when SPNEGO decode fails after token alloc\n\nThe kernel ASN.1 BER decoder calls action callbacks incrementally as it\nwalks the input.  When ksmbd_decode_negTokenInit() reaches the mechToken\n[2] OCTET STRING element, ksmbd_neg_token_alloc() allocates\nconn-\u003emechToken immediately via kmemdup_nul().  If a later element in\nthe same blob is malformed, then the decoder will return nonzero after\nthe allocation is already live.  This could happen if mechListMIC [3]\noverrunse the enclosing SEQUENCE.\n\ndecode_negotiation_token() then sets conn-\u003euse_spnego = false because\nboth the negTokenInit and negTokenTarg grammars failed.  The cleanup at\nthe bottom of smb2_sess_setup() is gated on use_spnego:\n\n\tif (conn-\u003euse_spnego \u0026\u0026 conn-\u003emechToken) {\n\t\tkfree(conn-\u003emechToken);\n\t\tconn-\u003emechToken = NULL;\n\t}\n\nso the kfree is skipped, causing the mechToken to never be freed.\n\nThis codepath is reachable pre-authentication, so untrusted clients can\ncause slow memory leaks on a server without even being properly\nauthenticated.\n\nFix this up by not checking check for use_spnego, as it\u0027s not required,\nso the memory will always be properly freed.  At the same time, always\nfree the memory in ksmbd_conn_free() incase some other failure path\nforgot to free it.",
  "id": "GHSA-g5hw-v48q-45pv",
  "modified": "2026-04-24T15:32:35Z",
  "published": "2026-04-24T15:32:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31610"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/269c800a7a7e363459291885b35f7bc72e231ed6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6c8c44e6553b9f072f62d9875e567766eb293162"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dd53414e301beb915fe672dc4c4a51bafb917604"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dd577cb55588ec3fbc66af3621280306601c4192"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.