AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-31507: In the Linux kernel, the following vulnerability has been resolved: net/smc: fix double-free of smc_spd_priv when tee()

infovulnerability

security

Source: NVD/CVE DatabaseApril 22, 2026CVE-2026-31507

Summary

A vulnerability in the Linux kernel's SMC (sockets mapped to connections) networking code allows a double-free memory error when the tee() function duplicates splice pipe buffers. When two pipes share the same smc_spd_priv pointer (a data structure tracking buffer metadata), releasing both pipes causes the same object to be freed twice, leading to a use-after-free bug (accessing memory that has already been freed) and potential kernel crashes.

Solution / Mitigation

The .get callback is invoked by both tee(2) and splice_pipe_to_pipe() for partial transfers; both will now return -EFAULT. Users who need to duplicate SMC socket data must use a copy-based read path.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Disclosure Date

April 22, 2026

Classification

Attack SophisticationModerate

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-31507

First tracked: April 22, 2026 at 02:08 PM

Classified by LLM (prompt v3) · confidence: 95%