HIGH Published 2026-04-22

ksmbd Session Binding DoS

CVE-2026-31476

CVSS 8.2 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

KernelScan AI7.5HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: do not expire session on binding failure When a multichannel session binding request fails (e.g. wrong password), the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED. However, during binding, sess points to the target session looked up via ksmbd_session_lookup_slowpath() -- which belongs to another connection's user. This allows a remote attacker to invalidate any active session by simply sending a binding request with a wrong password (DoS). Fix this by skipping session expiration when the failed request was a binding attempt, since the session does not belong to the current connection. The reference taken by ksmbd_session_lookup_slowpath() is still correctly released via ksmbd_user_session_put().

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Remote attackers can invalidate any active SMB session by sending a multichannel binding request with wrong credentials. This allows denial of service against legitimate users without authentication. Systems running ksmbd SMB server with multichannel support are affected.

Affectedfs/smb/server/smb2pdu.c (ksmbd)

Vulnerability analysis

The vulnerability occurs in ksmbd's SMB2 session setup error handling. When a multichannel binding request fails authentication, the code unconditionally expires the session by setting sess->state = SMB2_SESSION_EXPIRED. However, during binding attempts, sess points to an existing session from another connection looked up via ksmbd_session_lookup_slowpath(), not the current connection's session. This allows attackers to target and expire arbitrary active sessions. The fix adds a check for the SMB2_SESSION_REQ_FLAG_BINDING flag to skip session expiration during failed binding attempts, since the session belongs to a different connection and should not be affected by the current connection's authentication failure.

03Fix Versions

Branch	Fixed in	Patch commit
5.15	5.15.209	`4642ea35c03c`
6.1	6.1.168	`f5300690c23c`
6.12	6.12.80	`1d1888b4a7ae`
6.18	6.18.21	`a897064a4570`
6.19	6.19.11	`e0e5edc81b24`
6.6	6.6.131	`6fafc4c4238e`
mainline	7.0	`9bbb19d21ded`