CVE-2026-31432
Severity CVSS v4.0:
Pending analysis
Type:
CWE-787
Out-of-bounds Write
Publication date:
22/04/2026
Last modified:
21/05/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ksmbd: fix OOB write in QUERY_INFO for compound requests<br />
<br />
When a compound request such as READ + QUERY_INFO(Security) is received,<br />
and the first command (READ) consumes most of the response buffer,<br />
ksmbd could write beyond the allocated buffer while building a security<br />
descriptor.<br />
<br />
The root cause was that smb2_get_info_sec() checked buffer space using<br />
ppntsd_size from xattr, while build_sec_desc() often synthesized a<br />
significantly larger descriptor from POSIX ACLs.<br />
<br />
This patch introduces smb_acl_sec_desc_scratch_len() to accurately<br />
compute the final descriptor size beforehand, performs proper buffer<br />
checking with smb2_calc_max_out_buf_len(), and uses exact-sized<br />
allocation + iov pinning.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.145 (including) | 5.16 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1.71 (including) | 6.2 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.6 (including) | 6.12.81 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.22 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 6.19.12 (excluding) |
| cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page