CVE-2026-31610

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc The kernel ASN.1 BER decoder calls action callbacks incrementally as it walks the input. When ksmbd_decode_negTokenInit() reaches the mechToken [2] OCTET STRING element, ksmbd_neg_token_alloc() allocates conn->mechToken immediately via kmemdup_nul(). If a later element in the same blob is malformed, then the decoder will return nonzero after the allocation is already live. This could happen if mechListMIC [3] overrunse the enclosing SEQUENCE. decode_negotiation_token() then sets conn->use_spnego = false because both the negTokenInit and negTokenTarg grammars failed. The cleanup at the bottom of smb2_sess_setup() is gated on use_spnego: if (conn->use_spnego && conn->mechToken) { kfree(conn->mechToken); conn->mechToken = NULL; } so the kfree is skipped, causing the mechToken to never be freed. This codepath is reachable pre-authentication, so untrusted clients can cause slow memory leaks on a server without even being properly authenticated. Fix this up by not checking check for use_spnego, as it's not required, so the memory will always be properly freed. At the same time, always free the memory in ksmbd_conn_free() incase some other failure path forgot to free it.

Predictions

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

References

• https://git.kernel.org/stable/c/269c800a7a7e363459291885b35f7bc72e231ed6
• https://git.kernel.org/stable/c/6c8c44e6553b9f072f62d9875e567766eb293162
• https://git.kernel.org/stable/c/745a535461bbb90a56d9357573c9f97a5c12abe1
• https://git.kernel.org/stable/c/ad0057fb91218914d6c98268718ceb9d59b388e1
• https://git.kernel.org/stable/c/dd53414e301beb915fe672dc4c4a51bafb917604
• https://git.kernel.org/stable/c/dd577cb55588ec3fbc66af3621280306601c4192
• https://www.suse.com/security/cve/CVE-2026-31610.html
• https://security-tracker.debian.org/tracker/CVE-2026-31610

CWEs

CWE-401