{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "89b021a72663c4d96d8a8b85272bb42d991a1c6f"
            },
            {
              "fixed": "66c082e3d4651e8629a393a9e182b01eb50fb0a3"
            },
            {
              "fixed": "809cbd31aa4f87a1b889532244c9cf30eb022385"
            },
            {
              "fixed": "26ad87a2cfb8c1384620d1693a166ed87303046e"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.18.0"
            },
            {
              "fixed": "6.18.11"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31538.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: make use of smbdirect_socket.recv_io.credits.available\n\nThe logic off managing recv credits by counting posted recv_io and\ngranted credits is racy.\n\nThat's because the peer might already consumed a credit,\nbut between receiving the incoming recv at the hardware\nand processing the completion in the 'recv_done' functions\nwe likely have a window where we grant credits, which\ndon't really exist.\n\nSo we better have a decicated counter for the\navailable credits, which will be incremented\nwhen we posted new recv buffers and drained when\nwe grant the credits to the peer.\n\nThis fixes regression Namjae reported with\nthe 6.18 release.",
  "id": "CVE-2026-31538",
  "modified": "2026-07-08T05:36:16.593571898Z",
  "published": "2026-04-24T14:30:25.598Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/26ad87a2cfb8c1384620d1693a166ed87303046e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/66c082e3d4651e8629a393a9e182b01eb50fb0a3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/809cbd31aa4f87a1b889532244c9cf30eb022385"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31538.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31538"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "smb: server: make use of smbdirect_socket.recv_io.credits.available"
}