CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31718 – ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger
https://notcve.org/view.php?id=CVE-2026-31718
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger When a durable file handle survives session disconnect (TCP close without SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the handle for later reconnection. • https://git.kernel.org/stable/c/c8efcc786146a951091588e5fa7e3c754850cb3c • CWE-416: Use After Free •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31717 – ksmbd: validate owner of durable handle on reconnect
https://notcve.org/view.php?id=CVE-2026-31717
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate owner of durable handle on reconnect Currently, ksmbd does not verify if the user attempting to reconnect to a durable handle is the same user who originally opened the file. This allows any authenticated user to hijack an orphaned durable handle by predicting or brute-forcing the persistent ID. • https://git.kernel.org/stable/c/c8efcc786146a951091588e5fa7e3c754850cb3c •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31716 – fs/ntfs3: validate rec->used in journal-replay file record check
https://notcve.org/view.php?id=CVE-2026-31716
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: validate rec->used in journal-replay file record check check_file_record() validates rec->total against the record size but never validates rec->used. • https://git.kernel.org/stable/c/b46acd6a6a627d876898e1c84d3f84902264b445 • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31715 – f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()
https://notcve.org/view.php?id=CVE-2026-31715
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() The xfstests case "generic/107" and syzbot have both reported a NULL pointer dereference. • https://git.kernel.org/stable/c/50fa53eccf9f911a5b435248a2b0bd484fd82e5e • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31714 – f2fs: fix to avoid memory leak in f2fs_rename()
https://notcve.org/view.php?id=CVE-2026-31714
01 May 2026 — backtrace (crc 925f8a80): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4520 [inline] slab_alloc_node mm/slub.c:4844 [inline] __do_kmalloc_node mm/slub.c:5237 [inline] __kmalloc_noprof+0x3bd/0x560 mm/slub.c:5250 kmalloc_noprof include/linux/slab.h:954 [inline] fscrypt_setup_filename+0x15e/0x3b0 fs/crypto/fname.c:364 f2fs_setup_filename+0x52/0xb0 fs/f2fs/dir.c:143 f2fs_rename+0x159/0xca0 fs/f2fs/namei.c:961 f2fs_rename2+0xd5/0xf20 fs/f2fs/namei.c:1... • https://git.kernel.org/stable/c/7525dec4b34c80b3015c3f2ac143fd2bfc1febc3 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31713 – fuse: abort on fatal signal during sync init
https://notcve.org/view.php?id=CVE-2026-31713
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: fuse: abort on fatal signal during sync init When sync init is used and the server exits for some reason (error, crash) while processing FUSE_INIT, the filesystem creation will hang. • https://git.kernel.org/stable/c/dfb84c33079497bf27058b15780e1c7bba4c371b •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31712 – ksmbd: require minimum ACE size in smb_check_perm_dacl()
https://notcve.org/view.php?id=CVE-2026-31712
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: require minimum ACE size in smb_check_perm_dacl() Both ACE-walk loops in smb_check_perm_dacl() only guard against an under-sized remaining buffer, not against an ACE whose declared `ace->size` is smaller than the struct it claims to describe: if (offsetof(struct smb_ace, access_req) > aces_size) break; ace_size = le16_to_cpu(ace->size); if (ace_size > aces_size) break; The first check only requires the 4-byte ACE header to be ... • https://git.kernel.org/stable/c/e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31711 – smb: server: fix active_num_conn leak on transport allocation failure
https://notcve.org/view.php?id=CVE-2026-31711
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: server: fix active_num_conn leak on transport allocation failure Commit 77ffbcac4e56 ("smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()") addressed the kthread_run() failure path. • https://git.kernel.org/stable/c/0d0d4680db22eda1eea785c47bbf66a9b33a8b16 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-31710 – smb: client: fix dir separator in SMB1 UNIX mounts
https://notcve.org/view.php?id=CVE-2026-31710
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix dir separator in SMB1 UNIX mounts When calling cifs_mount_get_tcon() with SMB1 UNIX mounts, @cifs_sb->mnt_cifs_flags needs to be read or updated only after calling reset_cifs_unix_caps(), otherwise it might end up with missing CIFS_MOUNT_POSIXACL and CIFS_MOUNT_POSIX_PATHS bits. • https://git.kernel.org/stable/c/4fc3a433c13944ee5766ec5b9bf6f1eb4d29b880 •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31709 – smb: client: validate the whole DACL before rewriting it in cifsacl
https://notcve.org/view.php?id=CVE-2026-31709
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL before rewriting it in cifsacl build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild the chmod/chown security descriptor. • https://git.kernel.org/stable/c/bc3e9dd9d104ca1b75644eab87b38ce8a924aef4 •