CVE-2026-31709

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: validate the whole DACL before rewriting it in cifsacl<br /> <br /> build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a<br /> server-supplied dacloffset and then use the incoming ACL to rebuild the<br /> chmod/chown security descriptor.<br /> <br /> The original fix only checked that the struct smb_acl header fits before<br /> reading dacl_ptr-&gt;size or dacl_ptr-&gt;num_aces. That avoids the immediate<br /> header-field OOB read, but the rewrite helpers still walk ACEs based on<br /> pdacl-&gt;num_aces with no structural validation of the incoming DACL body.<br /> <br /> A malicious server can return a truncated DACL that still contains a<br /> header, claims one or more ACEs, and then drive<br /> replace_sids_and_copy_aces() or set_chmod_dacl() past the validated<br /> extent while they compare or copy attacker-controlled ACEs.<br /> <br /> Factor the DACL structural checks into validate_dacl(), extend them to<br /> validate each ACE against the DACL bounds, and use the shared validator<br /> before the chmod/chown rebuild paths. parse_dacl() reuses the same<br /> validator so the read-side parser and write-side rewrite paths agree on<br /> what constitutes a well-formed incoming DACL.