CVE-2026-31614

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix off-by-8 bounds check in check_wsl_eas()<br /> <br /> The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA<br /> name and value, but ea_data sits at offset sizeof(struct<br /> smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp()<br /> later reads ea-&gt;ea_data[0..nlen-1] and the value bytes follow at<br /> ea_data[nlen+1..nlen+vlen], so the actual end is ea-&gt;ea_data + nlen + 1<br /> + vlen. Isn&amp;#39;t pointer math fun?<br /> <br /> The earlier check (u8 *)ea &gt; end - sizeof(*ea) only guarantees the<br /> 8-byte header is in bounds, but since the last EA is placed within 8<br /> bytes of the end of the response, the name and value bytes are read past<br /> the end of iov.<br /> <br /> Fix this mess all up by using ea-&gt;ea_data as the base for the bounds<br /> check.<br /> <br /> An "untrusted" server can use this to leak up to 8 bytes of kernel heap<br /> into the EA name comparison and influence which WSL xattr the data is<br /> interpreted as.