CVE-2026-31433

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix potencial OOB in get_file_all_info() for compound requests<br /> <br /> When a compound request consists of QUERY_DIRECTORY + QUERY_INFO<br /> (FILE_ALL_INFORMATION) and the first command consumes nearly the entire<br /> max_trans_size, get_file_all_info() would blindly call smbConvertToUTF16()<br /> with PATH_MAX, causing out-of-bounds write beyond the response buffer.<br /> In get_file_all_info(), there was a missing validation check for<br /> the client-provided OutputBufferLength before copying the filename into<br /> FileName field of the smb2_file_all_info structure.<br /> If the filename length exceeds the available buffer space, it could lead to<br /> potential buffer overflows or memory corruption during smbConvertToUTF16<br /> conversion. This calculating the actual free buffer size using<br /> smb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is<br /> insufficient and updating smbConvertToUTF16 to use the actual filename<br /> length (clamped by PATH_MAX) to ensure a safe copy operation.