CVE-2026-31610

Summary

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc

The kernel ASN.1 BER decoder calls action callbacks incrementally as it walks the input. When ksmbd_decode_negTokenInit() reaches the mechToken [2] OCTET STRING element, ksmbd_neg_token_alloc() allocates conn->mechToken immediately via kmemdup_nul(). If a later element in the same blob is malformed, then the decoder will return nonzero after the allocation is already live. This could happen if mechListMIC [3] overrunse the enclosing SEQUENCE.

decode_negotiation_token() then sets conn->use_spnego = false because both the negTokenInit and negTokenTarg grammars failed. The cleanup at the bottom of smb2_sess_setup() is gated on use_spnego:

if (conn->use_spnego && conn->mechToken) {
	kfree(conn->mechToken);
	conn->mechToken = NULL;
}

so the kfree is skipped, causing the mechToken to never be freed.

This codepath is reachable pre-authentication, so untrusted clients can cause slow memory leaks on a server without even being properly authenticated.

Fix this up by not checking check for use_spnego, as it's not required, so the memory will always be properly freed. At the same time, always free the memory in ksmbd_conn_free() incase some other failure path forgot to free it.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxfad4161b5cd01a24202234976ebbb133f7adc0b5 < 745a535461bbb90a56d9357573c9f97a5c12abe1affected
LinuxLinuxfad4161b5cd01a24202234976ebbb133f7adc0b5 < dd577cb55588ec3fbc66af3621280306601c4192affected
LinuxLinuxfad4161b5cd01a24202234976ebbb133f7adc0b5 < dd53414e301beb915fe672dc4c4a51bafb917604affected
LinuxLinuxfad4161b5cd01a24202234976ebbb133f7adc0b5 < 269c800a7a7e363459291885b35f7bc72e231ed6affected
LinuxLinuxfad4161b5cd01a24202234976ebbb133f7adc0b5 < 6c8c44e6553b9f072f62d9875e567766eb293162affected
LinuxLinuxfad4161b5cd01a24202234976ebbb133f7adc0b5 < ad0057fb91218914d6c98268718ceb9d59b388e1affected
LinuxLinux5.15affected
LinuxLinux0 < 5.15unaffected
LinuxLinux6.6.136 <= 6.6.*unaffected
LinuxLinux6.12.83 <= 6.12.*unaffected
LinuxLinux6.18.24 <= 6.18.*unaffected
LinuxLinux6.19.14 <= 6.19.*unaffected
LinuxLinux7.0.1 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References