Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-31718 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-31718 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-31718 is a use-after-free vulnerability in the Linux kernel's ksmbd component, specifically within the __ksmbd_close_fd() function, triggered through the durable file handle scavenger path during session disconnect handling.

Technical Detail

The flaw arises when a durable file handle survives a TCP session disconnect and the durable scavenger routine subsequently accesses memory that has already been freed during file descriptor cleanup in __ksmbd_close_fd(). An attacker who can establish and manipulate SMB sessions against a system running ksmbd may be able to trigger this condition, potentially leading to kernel memory corruption. Depending on exploitability, this could result in local or remote privilege escalation or kernel crash, given the critical CVSS score of 9.8 and the network-accessible nature of the SMB server component.

Exploitation Status

No known exploit exists for this vulnerability at this time. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is currently assessed as no known exploit, meaning no public proof-of-concept or weaponized code has been confirmed as of May 8, 2026.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence.

What To Do

Apply the upstream Linux kernel patch that resolves this use-after-free condition in ksmbd as soon as it is available in your distribution's stable channel. Organizations running ksmbd as an in-kernel SMB server should treat this as a high-priority patch given the critical severity rating and the network-exposed attack surface. As an interim measure, consider disabling ksmbd if it is not operationally required, or restrict SMB access at the network perimeter to trusted hosts only. Monitor kernel security advisories from your Linux distribution vendor for backported fixes applicable to your deployed kernel version.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →