CVE-2026-31444
CriticalSummary
A vulnerability has been identified in the Linux kernel within the smb_grant_oplock() function, leading to use-after-free and NULL dereference issues. These problems arise from an improper publication sequence of oplock, potentially resulting in unpredictable system behavior.
Risk Assessment
This vulnerability may lead to system crashes or unauthorized memory access, posing a significant threat to the stability and security of the operating system.
Recommendation
It is recommended to update the Linux kernel to the latest version where fixes have been implemented to eliminate these oplock publication sequence issues.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free and NULL deref in smb_grant_oplock() smb_grant_oplock() has two issues in the oplock publication sequence: 1) opinfo is linked into ci->m_op_list (via opinfo_add) before add_lease_global_list() is called. If add_lease_global_list() fails (kmalloc returns NULL), the error path frees the opinfo via __free_opinfo() while it is still linked in ci->m_op_list. Concurrent m_op_list readers (opinfo_get_list, or direct iteration in smb_break_all_levII_oplock) dereference the freed node. 2) opinfo->o_fp is assigned after add_lease_global_list() publishes the opinfo on the global lease list. A concurrent find_same_lease_key() can walk the lease list and dereference opinfo->o_fp->f_ci while o_fp is still NULL. Fix by restructuring the publication sequence to eliminate post-publish failure: - Set opinfo->o_fp before any list publication (fixes NULL deref). - Preallocate leas

