CVE-2026-31705

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment<br /> <br /> smb2_get_ea() applies 4-byte alignment padding via memset() after<br /> writing each EA entry. The bounds check on buf_free_len is performed<br /> before the value memcpy, but the alignment memset fires unconditionally<br /> afterward with no check on remaining space.<br /> <br /> When the EA value exactly fills the remaining buffer (buf_free_len == 0<br /> after value subtraction), the alignment memset writes 1-3 NUL bytes<br /> past the buf_free_len boundary. In compound requests where the response<br /> buffer is shared across commands, the first command (e.g., READ) can<br /> consume most of the buffer, leaving a tight remainder for the QUERY_INFO<br /> EA response. The alignment memset then overwrites past the physical<br /> kvmalloc allocation into adjacent kernel heap memory.<br /> <br /> Add a bounds check before the alignment memset to ensure buf_free_len<br /> can accommodate the padding bytes.<br /> <br /> This is the same bug pattern fixed by commit beef2634f81f ("ksmbd: fix<br /> potencial OOB in get_file_all_info() for compound requests") and<br /> commit fda9522ed6af ("ksmbd: fix OOB write in QUERY_INFO for compound<br /> requests"), both of which added bounds checks before unconditional<br /> writes in QUERY_INFO response handlers.