HIGH Published 2026-04-30

cifs Request Replay Uninitialized Variables

CVE-2026-31693

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: cifs: some missing initializations on replay In several places in the code, we have a label to signify the start of the code where a request can be replayed if necessary. However, some of these places were missing the necessary reinitializations of certain local variables before replay. This change makes sure that these variables get initialized after the label.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

An attacker who can manipulate network conditions or control SMB server responses could potentially cause CIFS client operations to use uninitialized memory values during request replays, leading to unpredictable behavior, information disclosure, or system instability.

Affectedfs/smb/client

Vulnerability analysis

Summary: The CIFS client contains uninitialized variable vulnerabilities in request replay logic where local variables are not properly reinitialized when operations are retried.

Root Cause: When SMB2 operations need to be replayed (retried) due to network issues or server responses, the code jumps to replay labels but fails to reinitialize certain local variables (used_len, buffer, pc_buf) that may contain stale values from previous attempts. This violates the principle that replay operations should start with a clean state.

Attack Surface: This affects CIFS/SMB2 network file system operations. An attacker would need to trigger network conditions that cause request replays, potentially through network manipulation or by controlling SMB server responses. The vulnerability requires active CIFS mounts and network connectivity to SMB servers.

Fix Mechanism: The patch adds proper variable initialization after replay labels in three functions: smb2_set_ea() initializes used_len=0, smb2_ioctl_query_info() initializes buffer=NULL, and smb311_posix_mkdir() initializes pc_buf=NULL. This ensures variables start with known clean values on replay attempts.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.75	`1d731e512134`
6.18	6.18.16	`7c9ce68192ee`
6.19	6.19.6	`c99e160938b6`
6.6	6.6.128	`c854ab481ece`
mainline	7.0	`14f66f446463`