VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-beg3-c4a1-cfay

Essentials
Severities (5)
References (5)
Severity details (1)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-beg3-c4a1-cfay
Aliases	CVE-2026-31477
Summary	In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix memory leaks and NULL deref in smb2_lock() smb2_lock() has three error handling issues after list_del() detaches smb_lock from lock_list at no_check_cl: 1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK path, goto out leaks smb_lock and its flock because the out: handler only iterates lock_list and rollback_list, neither of which contains the detached smb_lock. 2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out leaks smb_lock and flock for the same reason. The error code returned to the dispatcher is also stale. 3) In the rollback path, smb_flock_init() can return NULL on allocation failure. The result is dereferenced unconditionally, causing a kernel NULL pointer dereference. Add a NULL check to prevent the crash and clean up the bookkeeping; the VFS lock itself cannot be rolled back without the allocation and will be released at file or connection teardown. Fix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before the if(!rc) check in the UNLOCK branch so all exit paths share one free site, and by freeing smb_lock and flock before goto out in the non-UNLOCK branch. Propagate the correct error code in both cases. Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding a NULL check for locks_free_lock(rlock) in the shared cleanup. Found via call-graph analysis using sqry.
Status	Published
Exploitability	0.5
Weighted Severity	2.8
Risk	1.4
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-476

NULL Pointer Dereference

System	Score	Found at
epss	0.00024	https://api.first.org/data/v1/epss?cve=CVE-2026-31477
epss	0.00024	https://api.first.org/data/v1/epss?cve=CVE-2026-31477
epss	0.0007	https://api.first.org/data/v1/epss?cve=CVE-2026-31477
epss	0.0007	https://api.first.org/data/v1/epss?cve=CVE-2026-31477
cvssv3.1	5.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31477.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-31477
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-31477
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2460681		https://bugzilla.redhat.com/show_bug.cgi?id=2460681

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.06773
EPSS Score	0.00024
Published At	April 24, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-23T05:41:02.219113+00:00	Debian Importer	Import	https://security-tracker.debian.org/tracker/data/json	38.4.0