CRITICAL Published 2026-04-24

smb server RDMA Double-Free

CVE-2026-31608

CVSS 9.8 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

KernelScan AI9.8CRITICAL

01Description

In the Linux kernel, the following vulnerability has been resolved: smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list() smb_direct_flush_send_list() already calls smb_direct_free_sendmsg(), so we should not call it again after post_sendmsg() moved it to the batch list.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A critical double-free vulnerability in the kernel SMB server's RDMA transport layer could allow remote attackers to cause memory corruption, potentially leading to denial of service or arbitrary code execution. The vulnerability occurs when SMB Direct connections encounter specific error conditions during message sending, making it exploitable by any client capable of establishing SMB over RDMA connections.

Affectedfs/smb/server/transport_rdma.c

Vulnerability analysis

Root Cause: The smb_direct_post_send_data() function contains a double-free vulnerability where smb_direct_free_sendmsg() is called twice on the same message structure. The first call occurs within smb_direct_flush_send_list() when send_ctx is &_send_ctx, and the second call occurs in the error handling path at the 'err' label, even after the message has already been moved to the batch list and freed.

Attack Surface: This vulnerability affects SMB Direct (SMB over RDMA) connections to the kernel SMB server. It requires network access to establish SMB Direct connections, typically over InfiniBand or RoCE networks. The vulnerability is triggered during RDMA send operations when error conditions occur during message batching.

Fix Mechanism: The patch adds a new error label 'flush_failed' that bypasses the smb_direct_free_sendmsg() call when smb_direct_flush_send_list() fails. It also adds a comment clarifying that after post_sendmsg() succeeds, the message is moved to send_ctx and should not be freed explicitly. This ensures the message is only freed once, preventing the double-free condition.

03Fix Versions

Branch	Fixed in	Patch commit
6.18	6.18.24	`6968c91fab05`
6.19	6.19.14	`2ba03f46132b`
7.0	7.0.1	`830de6eeb9db`
mainline	7.1-rc1	`84ff995ae826`