{ "public_date" : "2026-04-22T00:00:00Z", "bugzilla" : { "description" : "kernel: ksmbd: fix use-after-free and NULL deref in smb_grant_oplock()", "id" : "2460707", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2460707" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nksmbd: fix use-after-free and NULL deref in smb_grant_oplock()\nsmb_grant_oplock() has two issues in the oplock publication sequence:\n1) opinfo is linked into ci->m_op_list (via opinfo_add) before\nadd_lease_global_list() is called. If add_lease_global_list()\nfails (kmalloc returns NULL), the error path frees the opinfo\nvia __free_opinfo() while it is still linked in ci->m_op_list.\nConcurrent m_op_list readers (opinfo_get_list, or direct iteration\nin smb_break_all_levII_oplock) dereference the freed node.\n2) opinfo->o_fp is assigned after add_lease_global_list() publishes\nthe opinfo on the global lease list. A concurrent\nfind_same_lease_key() can walk the lease list and dereference\nopinfo->o_fp->f_ci while o_fp is still NULL.\nFix by restructuring the publication sequence to eliminate post-publish\nfailure:\n- Set opinfo->o_fp before any list publication (fixes NULL deref).\n- Preallocate lease_table via alloc_lease_table() before opinfo_add()\nso add_lease_global_list() becomes infallible after publication.\n- Keep the original m_op_list publication order (opinfo_add before\nlease list) so concurrent opens via same_client_has_lease() and\nopinfo_get_list() still see the in-flight grant.\n- Use opinfo_put() instead of __free_opinfo() on err_out so that\nthe RCU-deferred free path is used.\nThis also requires splitting add_lease_global_list() to take a\npreallocated lease_table and changing its return type from int to void,\nsince it can no longer fail.", "A flaw was found in ksmbd, a component of the Linux kernel. This vulnerability involves a use-after-free and a NULL pointer dereference within the `smb_grant_oplock()` function during the oplock publication sequence. An attacker could potentially exploit these issues, leading to memory corruption. This could result in a denial of service (DoS) due to system instability or crashes." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31444\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31444\nhttps://lore.kernel.org/linux-cve-announce/2026042245-CVE-2026-31444-8b6e@gregkh/T" ], "name" : "CVE-2026-31444", "csaw" : false }