{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-31718/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-31718"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["use-after-free","smb","ksmbd","CVE-2026-31718","kernel"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eOn May 8, 2026, Microsoft published details for CVE-2026-31718, a use-after-free vulnerability affecting the ksmbd kernel module. The vulnerability resides in the \u003ccode\u003e__ksmbd_close_fd()\u003c/code\u003e function and is triggered through the durable scavenger functionality. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the kernel. The vulnerability affects systems utilizing the ksmbd kernel module for SMB server functionality. Due to the nature of kernel-level vulnerabilities, this poses a significant risk to the confidentiality, integrity, and availability of affected systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker establishes a valid SMB connection with a vulnerable ksmbd server.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a durable file handle request, instructing the server to maintain a persistent file handle.\u003c/li\u003e\n\u003cli\u003eThe server creates a file object and associates it with the durable file handle.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the durable scavenger, a routine designed to clean up stale or unused durable handles.\u003c/li\u003e\n\u003cli\u003eDue to a flaw in \u003ccode\u003e__ksmbd_close_fd()\u003c/code\u003e, the server incorrectly frees the file object while the durable file handle is still active.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to access the file object through the previously established durable file handle.\u003c/li\u003e\n\u003cli\u003eThis access triggers a use-after-free condition, potentially allowing the attacker to overwrite kernel memory.\u003c/li\u003e\n\u003cli\u003eBy carefully crafting the memory overwrite, the attacker achieves arbitrary code execution within the kernel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31718 allows an attacker to execute arbitrary code within the kernel context of the affected system. This can lead to a complete compromise of the system, allowing the attacker to gain full control, steal sensitive data, or cause a denial of service. Given the kernel-level nature of the vulnerability, there is a high risk of privilege escalation and lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security updates released by Microsoft to patch CVE-2026-31718 to remediate the underlying use-after-free vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor systems running ksmbd for unusual SMB activity, specifically related to durable file handles, using network connection logs.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential attempts to trigger the vulnerable \u003ccode\u003e__ksmbd_close_fd()\u003c/code\u003e function by monitoring for specific SMB protocol requests related to durable handles.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T07:05:58Z","date_published":"2026-05-08T07:05:58Z","id":"/briefs/2024-05-ksmbd-uaf/","summary":"CVE-2026-31718 is a use-after-free vulnerability in the ksmbd kernel module, specifically in the __ksmbd_close_fd() function, which can be triggered via the durable scavenger mechanism, potentially leading to arbitrary code execution.","title":"CVE-2026-31718 ksmbd Use-After-Free Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-05-ksmbd-uaf/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-31718","version":"https://jsonfeed.org/version/1.1"}