HIGH
ksmbd Binding State Corruption
CVE-2026-31409
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset conn->binding on failed binding request When a multichannel SMB2_SESSION_SETUP request with SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true but never clears it on the error path. This leaves the connection in a binding state where all subsequent ksmbd_session_lookup_all() calls fall back to the global sessions table. This fix it by clearing conn->binding = false in the error path.
02KernelScan AI Analysis
Risk summary
SMB servers running ksmbd with multichannel support are vulnerable to denial of service attacks. Remote authenticated users can trigger failed binding requests that corrupt connection state, causing subsequent session lookups to fail and potentially disrupting SMB service availability.
Vulnerability analysis
The vulnerability occurs in ksmbd's SMB3 multichannel implementation where a failed SMB2_SESSION_SETUP request with SMB2_SESSION_REQ_FLAG_BINDING sets conn->binding = true but fails to clear it on the error path. This leaves the connection permanently in a binding state, causing all subsequent ksmbd_session_lookup_all() calls to incorrectly fall back to the global sessions table instead of using the proper per-connection session lookup. The fix adds conn->binding = false in the error handling path to properly reset the connection state. This is a network-reachable vulnerability requiring SMB authentication but no special privileges beyond valid SMB credentials.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.209 | 7e8b27081307 |
| 6.1 | 6.1.167 | d073870dab8f |
| 6.12 | 6.12.78 | 89afe5e2dbea |
| 6.18 | 6.18.20 | 9feb2d1bf86d |
| 6.19 | 6.19.10 | 6260fc85ed12 |
| 6.6 | 6.6.130 | 6ebef4a220a1 |
| mainline | 7.0 | 282343cf8a4a |