In the Linux kernel, the following vulnerability has been resolved:
smb: client: make use of smbdirect_socket.recv_io.credits.available
The logic off managing recv credits by counting posted recv_io and
granted credits is racy.
That's because the peer might already consumed a credit,
but between receiving the incoming recv at the hardware
and processing the completion in the 'recv_done' functions
we likely have a window where we grant credits, which
don't really exist.
So we better have a decicated counter for the
available credits, which will be incremented
when we posted new recv buffers and drained when
we grant the credits to the peer.
| Score | Percentile |
|---|---|
| 0.01% | 1.71% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 4.7 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-4w64-3hfc-pgqc ↗ |
| CVE | CVE-2026-31535 ↗ |
| CWE id | Name |
|---|---|
| CWE-367 | Time-of-check Time-of-use (TOCTOU) Race Condition |