Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-31536 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-31536 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-31536 is a vulnerability in the Linux kernel's SMB server component, specifically within the smbdirect (SMB over RDMA) send path, where improper handling of send completions lacking the IB_SEND_SIGNALED flag can lead to undefined kernel behavior.

Technical Detail

The flaw exists in the send_done completion handler within the Linux kernel's SMB direct (RDMA-based) server implementation. When smbdirect_send_batch processing submits work requests without the IB_SEND_SIGNALED flag, the corresponding completion event may not be generated as expected, leaving the handler in an inconsistent state that can result in memory corruption, a kernel panic, or potential privilege escalation depending on how the corrupted state is subsequently accessed. An attacker with access to the SMB over RDMA network path could potentially trigger this condition by manipulating the timing or structure of SMB direct requests to the affected server.

Exploitation Status

No known exploit exists for this vulnerability at this time. The exploit maturity is currently unproven, and CVE-2026-31536 has not been added to the CISA Known Exploited Vulnerabilities catalog. There is no public proof-of-concept code confirmed as of May 1, 2026.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence sources.

What To Do

Apply the upstream Linux kernel patch that resolves this issue as soon as it is available in your distribution's stable or security update channel. Organizations running SMB over RDMA (smbdirect) in server configurations should treat this as a priority patch given the CVSS score of 9.8. As an interim workaround, disabling SMB direct (RDMA transport) on exposed SMB servers will eliminate the attack surface until patching is complete. Administrators should review kernel changelogs for the specific commit resolving this issue and confirm their distribution vendor has backported the fix. Monitor kernel and SMB server logs for unexpected completion handler errors or RDMA-related kernel warnings as potential indicators of attempted exploitation.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →