CVE-2026-31432

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix OOB write in QUERY_INFO for compound requests<br /> <br /> When a compound request such as READ + QUERY_INFO(Security) is received,<br /> and the first command (READ) consumes most of the response buffer,<br /> ksmbd could write beyond the allocated buffer while building a security<br /> descriptor.<br /> <br /> The root cause was that smb2_get_info_sec() checked buffer space using<br /> ppntsd_size from xattr, while build_sec_desc() often synthesized a<br /> significantly larger descriptor from POSIX ACLs.<br /> <br /> This patch introduces smb_acl_sec_desc_scratch_len() to accurately<br /> compute the final descriptor size beforehand, performs proper buffer<br /> checking with smb2_calc_max_out_buf_len(), and uses exact-sized<br /> allocation + iov pinning.