Use After Free Affecting linux-qemu-rc package, versions <7.1_rc3-r0
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CHAINGUARDLATEST-LINUXQEMURC-16727797
- published17 May 2026
- disclosed1 May 2026
Introduced: 1 May 2026
CVE-2026-31718 (opens in a new tab)How to fix?
Upgrade Chainguard linux-qemu-rc to version 7.1_rc3-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream linux-qemu-rc package and not the linux-qemu-rc package as distributed by Chainguard.
See How to fix? for Chainguard relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger
When a durable file handle survives session disconnect (TCP close without SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the handle for later reconnection. However, it did not clean up the byte-range locks on fp->lock_list.
Later, when the durable scavenger thread times out and calls __ksmbd_close_fd(NULL, fp), the lock cleanup loop did:
spin_lock(&fp->conn->llist_lock);
This caused a slab use-after-free because fp->conn was NULL and the original connection object had already been freed by ksmbd_tcp_disconnect().
The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were left dangling on the freed conn->lock_list while fp->conn was nulled out.
To fix this issue properly, we need to handle the lifetime of smb_lock->clist across three paths:
- Safely skip clist deletion when list is empty and fp->conn is NULL.
- Remove the lock from the old connection's lock_list in session_fd_check()
- Re-add the lock to the new connection's lock_list in ksmbd_reopen_durable_fd().
References
- https://git.kernel.org/stable/c/235e32320a470fcd3998fb3774f2290a0eb302a1
- https://git.kernel.org/stable/c/3d6682726c2d3a46d31dae88b8166786b09b03ad
- https://git.kernel.org/stable/c/b34fc42cfe922e551f7a27d3ac3bb016e41d7dd9
- https://git.kernel.org/stable/c/e33c65f011980b4ad4abfd93585ec2079856368f
- https://git.kernel.org/stable/c/0000a7780e0e446a28a273572f6ea8f7f582f694