HIGH
smb Credits Race
CVE-2026-31539
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
KernelScan AI6.2MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: smb: smbdirect: introduce smbdirect_socket.recv_io.credits.available The logic off managing recv credits by counting posted recv_io and granted credits is racy. That's because the peer might already consumed a credit, but between receiving the incoming recv at the hardware and processing the completion in the 'recv_done' functions we likely have a window where we grant credits, which don't really exist. So we better have a decicated counter for the available credits, which will be incremented when we posted new recv buffers and drained when we grant the credits to the peer.
02KernelScan AI Analysis
Risk summary
A race condition in SMB Direct credit management allows an authenticated peer to corrupt protocol state. This could lead to protocol deadlocks or kernel instability on systems using SMB Direct over RDMA networks.
Vulnerability analysis
The vulnerability stems from a race condition between hardware receiving SMB Direct messages and software processing completions in the common SMB Direct socket layer (used by both client and server). The original code separately tracked posted recv_io messages and granted credits, creating a window where credits could be granted that don't actually exist. The fix introduces a dedicated atomic counter for available credits that is updated when buffers are posted and drained when credits are granted, eliminating the race condition. This affects SMB Direct implementations accessible over RDMA networks.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.11 | e811e60e1cc7 |
| 6.19 | 6.19.1 | f99996870222 |
| mainline | 7.0 | 6e3c5052f968 |