CVE-2026-31717 is an improper authorization flaw in the Linux kernel's ksmbd SMB server implementation. In the durable handle reconnect path for SMB2_CREATE (DHnC), ksmbd did not verify that the authenticated user attempting to reconnect to a durable handle was the same user who originally opened the file. As described, ksmbd failed to enforce the MS-SMB2 requirement that the reconnect request SecurityContext match the SecurityContext associated with the existing open. This allowed an authenticated user to hijack an orphaned durable handle if they could predict or brute-force the persistent ID. The fix adds durable owner tracking to ksmbd_file, storing the original opener's UID, GID, and account name when a file handle becomes orphaned, and introduces owner comparison logic via ksmbd_vfs_compare_durable_owner() during durable handle reconnect validation.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
Repository contains a working Python proof-of-concept exploit (`exploit.py`) and a Bash-based lab builder (`setup.sh`) for CVE-2026-31717, an authorization bypass in ksmbd durable-handle reconnect logic. The exploit targets the non-lease durable handle reconnect path (DHnC / durable handle v1) where ksmbd validates only the attacker-supplied persistent file ID and skips ownership checks in `smb2_check_durable_oplock()`. As a result, any authenticated SMB user can hijack another user's orphaned durable handle after session teardown and then read/write the file using the victim's retained kernel file credentials. `exploit.py` is the main entry point. It uses Impacket SMB libraries plus manually constructed SMB2 CREATE contexts to request durable handles (`DHnQ`) and reconnect them (`DHnC`). It supports three modes: `victim` to create and orphan a durable handle, `attack` to brute-force a persistent ID range and hijack an orphaned handle, and `acl-bypass` to run the full end-to-end demonstration. The code negotiates SMB 2.1, 3.0, or 3.1.1, authenticates to a target share, and performs post-hijack file reads/writes to prove unauthorized access. The exploit is operational rather than framework-based: it contains a concrete payload path and practical workflow, but customization is manual. `setup.sh` builds a reproducible vulnerable environment in QEMU. It downloads/builds Linux 6.19.11 and ksmbd-tools, creates an initramfs, provisions users `victim` and `attacker`, enables `durable handles = yes` in `/etc/ksmbd/ksmbd.conf`, exports `/tmp/smbtest` as share `share`, and pre-creates `/tmp/smbtest/secret_0600.txt` with mode 0600 owned by the victim. It also generates `run.sh`, which boots QEMU and forwards host TCP port 44500 to guest SMB port 445. This structure makes the repository both a PoC exploit and a self-contained reproduction environment. Notable fingerprintable targets are SMB endpoints on TCP 445/44500, the QEMU guest IP 10.0.2.15, the exported share `share`, and the lab file path `/tmp/smbtest/secret_0600.txt`. No external C2 or exfiltration infrastructure is present; network activity is limited to SMB connections to the specified target and setup-time downloads of kernel source and ksmbd-tools. Overall purpose: demonstrate and reproduce authenticated cross-user file-handle hijacking in vulnerable ksmbd deployments with durable handles enabled.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
6 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.
No news coverage yet. Advisories and community discussion only.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.