CRITICAL
smb RdmaCompletion UAF
CVE-2026-31536
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI8.3HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: smb: server: let send_done handle a completion without IB_SEND_SIGNALED With smbdirect_send_batch processing we likely have requests without IB_SEND_SIGNALED, which will be destroyed in the final request that has IB_SEND_SIGNALED set. If the connection is broken all requests are signaled even without explicit IB_SEND_SIGNALED.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in the Linux kernel SMB server's RDMA transport layer can be triggered by an authenticated SMB client when an RDMA connection fails during batched send operations. This affects systems running SMB servers with RDMA support, potentially leading to information disclosure, kernel memory corruption, and system crashes.
Vulnerability analysis
The vulnerability exists in the send_done() completion handler for SMB Direct over RDMA. During batched RDMA send processing, intermediate requests lack the IB_SEND_SIGNALED flag and are intended to be cleaned up by the final signaled request. When a connection breaks, all outstanding requests receive completions even without IB_SEND_SIGNALED. The original code incorrectly freed the shared send I/O memory in send_done() for these unsignaled 'sibling' requests, causing a use-after-free when ib_drain_qp() or subsequent completion handlers access the same memory. The fix adds a check to skip the premature free for unsignaled completions on error paths. An authenticated SMB client connected over RDMA can trigger this by inducing a connection break during I/O operations.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.11 | 24082642654f |
| 6.19 | 6.19.1 | e38b415c024b |
| mainline | 7.0 | 9da82dc73cb0 |