Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
High

Linux kernel net/smc double-free of smc_spd_priv via tee()-duplicated splice pipe buffer

IdentifiersCVE-2026-31507CWE-415· Double Free

CVE-2026-31507 is a Linux kernel vulnerability in the SMC networking subsystem (net/smc). The flaw occurs in the splice receive path: smc_rx_splice() allocates one smc_spd_priv object per pipe_buffer and stores the pointer in pipe_buffer.private. The affected pipe_buf_operations used .get = generic_pipe_buf_get, which increments only the backing page reference count when tee(2) duplicates a pipe buffer, but does not duplicate or refcount the associated smc_spd_priv object. As a result, after tee() duplicates the buffer, both the original and cloned pipe_buffer instances reference the same smc_spd_priv pointer. When the two pipes are later released, smc_rx_pipe_buf_release() runs twice on the same object. The first release frees the object and updates socket and consumer state; the second release operates on already freed memory, causing a double-free/use-after-free condition. KASAN reported a slab-use-after-free in smc_rx_pipe_buf_release(), and the bug can further escalate to a NULL-pointer dereference in smc_rx_update_consumer() when dereferencing freed state. The issue also has a semantic side effect: duplicated release processing can advance the SMC consumer cursor twice for the same data, corrupting receive-window accounting.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can trigger kernel memory corruption in the form of a double-free followed by use-after-free during pipe buffer release in the SMC splice path. Observed outcomes include slab-use-after-free, NULL-pointer dereference, and kernel panic, resulting in denial of service. Because the freed object contains socket- and SMC-related state and the CVSS vectors provided rate confidentiality, integrity, and availability as high, the vulnerability may also expose the kernel to broader compromise impacts beyond a crash, although the provided content specifically demonstrates panic/DoS behavior.

Mitigation

If you can’t patch tonight, do this now.

Until patched, avoid workflows that duplicate SMC splice pipe buffers via tee(2) or related pipe-to-pipe duplication paths. If duplication of SMC socket data is required, use a copy-based read path rather than tee/splice duplication. More generally, reduce exposure by limiting untrusted local users' ability to exercise SMC socket splice operations on affected systems.

Remediation

Patch, then assume compromise.

Apply a Linux kernel update containing the fix for CVE-2026-31507. The fix changes the SMC splice pipe buffer duplication behavior so that duplication paths invoking the pipe buffer .get callback, including tee(2) and splice_pipe_to_pipe() partial-transfer cases, fail with -EFAULT instead of allowing unsafe sharing of smc_spd_priv. Vendor guidance in the provided content indicates installing the relevant SUSE kernel security updates via YaST or zypper and rebooting after patching.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

4 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-31507
NVD
nvd.nist.gov/vuln/detail/CVE-2026-31507
MITRE CWE · CWE-415
Double Free
Patch
git.kernel.org/stable/c/24dd586bb4cbba1889a50abe74143817a095c1c9
Patch
git.kernel.org/stable/c/3cc76380fea749280c026f410af56a28aaac388a
Patch
git.kernel.org/stable/c/54c87a730157868543ebdfa0ecb21b4590ed23a5
Patch
git.kernel.org/stable/c/7bcb974c771c863e8588cea0012ac204443a7126
Patch
git.kernel.org/stable/c/7e8916f46c2f48607f907fd401590093753a6bc5
Patch
git.kernel.org/stable/c/81acbd345d405994875d419d43b319fee0b9ad62
Patch
git.kernel.org/stable/c/98ba5cb274768146e25ffbfde47753652c1c20d3
Patch
git.kernel.org/stable/c/ae5575e660410c8d2c5d38fb28a0f37aea945676