CVE-2026-31538

Source
https://cve.org/CVERecord?id=CVE-2026-31538
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31538.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31538
Downstream
Published
2026-04-24T14:30:25.598Z
Modified
2026-07-08T08:00:04.015094964Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
smb: server: make use of smbdirect_socket.recv_io.credits.available
Details

In the Linux kernel, the following vulnerability has been resolved:

smb: server: make use of smbdirectsocket.recvio.credits.available

The logic off managing recv credits by counting posted recv_io and granted credits is racy.

That's because the peer might already consumed a credit, but between receiving the incoming recv at the hardware and processing the completion in the 'recv_done' functions we likely have a window where we grant credits, which don't really exist.

So we better have a decicated counter for the available credits, which will be incremented when we posted new recv buffers and drained when we grant the credits to the peer.

This fixes regression Namjae reported with the 6.18 release.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31538.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
89b021a72663c4d96d8a8b85272bb42d991a1c6f
Fixed
66c082e3d4651e8629a393a9e182b01eb50fb0a3
Fixed
809cbd31aa4f87a1b889532244c9cf30eb022385
Fixed
26ad87a2cfb8c1384620d1693a166ed87303046e

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31538.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.18.0
Fixed
6.18.11
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31538.json"