CVE-2026-31409 PUBLISHED

ksmbd: unset conn->binding on failed binding request

Assigner: Linux
Reserved: 09.03.2026 Published: 06.04.2026 Updated: 06.04.2026

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: unset conn->binding on failed binding request

When a multichannel SMB2_SESSION_SETUP request with SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true but never clears it on the error path. This leaves the connection in a binding state where all subsequent ksmbd_session_lookup_all() calls fall back to the global sessions table. This fix it by clearing conn->binding = false in the error path.

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to d073870dab8f6dadced81d13d273ff0b21cb7f4e (excl.) affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 6ebef4a220a1ebe345de899ebb9ae394206fe921 (excl.) affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 89afe5e2dbea6e9d8e5f11324149d06fa3a4efca (excl.) affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772 (excl.) affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 6260fc85ed1298a71d24a75d01f8b2e56d489a60 (excl.) affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 282343cf8a4a5a3603b1cb0e17a7083e4a593b03 (excl.)

Vendor	Linux
Product	Linux
Versions	Default: affected unaffected from 6.1.167 to 6.1.* (incl.) unaffected from 6.6.130 to 6.6.* (incl.) unaffected from 6.12.78 to 6.12.* (incl.) unaffected from 6.18.20 to 6.18.* (incl.) unaffected from 6.19.10 to 6.19.* (incl.) unaffected from 7.0-rc5 to * (incl.)

CVE-2026-31409 PUBLISHED

ksmbd: unset conn->binding on failed binding request

Product Status

References