CVE-2026-31535

/* * PoC Concept for CVE-2026-31535 * This is a conceptual demonstration of the race condition. * Exploiting this requires triggering SMB Direct traffic rapidly. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> // Simulated credit counter logic (Vulnerable) struct vulnerable_credits { int posted_recv; int granted; }; // Simulated credit counter logic (Fixed) struct fixed_credits { int available; }; void simulate_race() { printf("[+] Simulating Race Condition in SMB Direct Credit Management\n"); // In a real scenario, threads would be manipulating these counters // while hardware interrupts signal packet reception. printf("[+] Step 1: Peer consumes credit.\n"); printf("[+] Step 2: Hardware receives packet, waits for 'recv_done'.\n"); printf("[+] Step 3: Vulnerable logic grants credit based on stale posted_recv count.\n"); printf("[+] Result: Credit inflation -> Resource Exhaustion/DoS.\n"); } int main() { simulate_race(); return 0; }

{"cve": {"id": "CVE-2026-31535", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:27.427", "lastModified": "2026-04-28T19:14:33.727", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: make use of smbdirect_socket.recv_io.credits.available\n\nThe logic off managing recv credits by counting posted recv_io and\ngranted credits is racy.\n\nThat's because the peer might already consumed a credit,\nbut between receiving the incoming recv at the hardware\nand processing the completion in the 'recv_done' functions\nwe likely have a window where we grant credits, which\ndon't really exist.\n\nSo we better have a decicated counter for the\navailable credits, which will be incremented\nwhen we posted new recv buffers and drained when\nwe grant the credits to the peer."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-367"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.11", "matchCriteriaId": "1D06FE45-F85F-4F59-A12C-C72C3C580DA4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.1", "matchCriteriaId": "EE543C0D-A06B-414F-A403-CB1E088F261E"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9911b1ed187a770a43950bf51f340ad4b7beecba", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/be8845ad5d6558703d20567d8702155598325db8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f664e6e8a81103cb45c8802a9bc7499e0902c458", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}