CVE-2026-31432 - Vulnerability Details

- ksmbd: fix OOB write in QUERY_INFO for compound requests

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix OOB write in QUERY_INFO for compound requests

When a compound request such as READ + QUERY_INFO(Security) is received,
and the first command (READ) consumes most of the response buffer,
ksmbd could write beyond the allocated buffer while building a security
descriptor.

The root cause was that smb2_get_info_sec() checked buffer space using
ppntsd_size from xattr, while build_sec_desc() often synthesized a
significantly larger descriptor from POSIX ACLs.

This patch introduces smb_acl_sec_desc_scratch_len() to accurately
compute the final descriptor size beforehand, performs proper buffer
checking with smb2_calc_max_out_buf_len(), and uses exact-sized
allocation + iov pinning.

Published: 2026-04-22

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A compound SMB request that performs a READ followed by a QUERY_INFO(Security) operation triggers a buffer overrun in the Linux ksmbd service. During this operation the kernel incorrectly calculates the size of the security descriptor and writes beyond the allocated buffer, creating a memory corruption condition. This flaw can be leveraged by an attacker to corrupt kernel memory, potentially escalating privileges to root. The vulnerability is rooted in an inaccurate buffer size check and improper allocation logic for synthesizing POSIX ACL descriptors.

Affected Systems

All Linux kernel releases that include the ksmbd SMB daemon and have not incorporated the patch from commit 075ea208c648cc2bcd616295b711d3637c61de45. Systems running SMB services via ksmbd with exposed interfaces to untrusted clients are affected.

Risk and Exploitability

The flaw can be exploited remotely over SMB traffic, allowing an attacker to overwrite kernel memory. No EPSS score or KEV listing is available, so public exploitation data is limited, but the presence of an out-of-bounds write in kernel space inherently represents a high severity risk. Attackers would need to deliver a crafted SMB compound request to a vulnerable host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d`	affected	< d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09
`e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d`	affected	< 075ea208c648cc2bcd616295b711d3637c61de45
`e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d`	affected	< 515c2daab46021221bdf406bef19bc90a44ec617
`e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d`	affected	< fda9522ed6afaec45cabc198d8492270c394c7bc
`f2283680a80571ca82d710bc6ecd8f8beac67d63`	affected	—
`9f297df20d93411c0b4ddad7f88ba04a7cd36e77`	affected	—

Linux

affected

Version	Status	Constraints
`6.6`	affected	—
`0`	unaffected	< 6.6
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d,d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09)`	affected	code_commit	—
`[e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d,075ea208c648cc2bcd616295b711d3637c61de45)`	affected	code_commit	—
`[e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d,515c2daab46021221bdf406bef19bc90a44ec617)`	affected	code_commit	—
`[e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d,fda9522ed6afaec45cabc198d8492270c394c7bc)`	affected	code_commit	—
`f2283680a80571ca82d710bc6ecd8f8beac67d63`	affected	code_commit	—
`9f297df20d93411c0b4ddad7f88ba04a7cd36e77`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.6`	affected	generic	—
`[0,6.6)`	unaffected	generic	—
`[6.12.81,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the ksmbd out‑of‑bounds write fix (the patch commit addresses the buffer size error).
If an immediate kernel upgrade is not feasible, block or restrict SMB traffic from untrusted networks using firewall rules and deny SMB connections from unknown hosts.
If ksmbd is not required for business operations, disable the service or replace it with a non‑kernel SMB implementation that does not expose the vulnerable path.

Generated by OpenCVE AI on April 22, 2026 at 15:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00008.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/075ea208c648cc2bcd616295b711d3637c61de45
https://git.kernel.org/stable/c/515c2daab46021221bdf406bef19bc90a44ec617
https://git.kernel.org/stable/c/d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09
https://git.kernel.org/stable/c/fda9522ed6afaec45cabc198d8492270c394c7bc
https://lore.kernel.org/linux-cve-announce/2026042216-CVE-2026-31432-e990@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31432
https://www.cve.org/CVERecord?id=CVE-2026-31432

History

Wed, 22 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-787

Wed, 22 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-131
References		https://lore.kernel.org/linux-cve-announce/2026042216-CVE-2026-31432-e990@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31432 https://www.cve.org/CVERecord?id=CVE-2026-31432

Wed, 22 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-787

Wed, 22 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix OOB write in QUERY_INFO for compound requests When a compound request such as READ + QUERY_INFO(Security) is received, and the first command (READ) consumes most of the response buffer, ksmbd could write beyond the allocated buffer while building a security descriptor. The root cause was that smb2_get_info_sec() checked buffer space using ppntsd_size from xattr, while build_sec_desc() often synthesized a significantly larger descriptor from POSIX ACLs. This patch introduces smb_acl_sec_desc_scratch_len() to accurately compute the final descriptor size beforehand, performs proper buffer checking with smb2_calc_max_out_buf_len(), and uses exact-sized allocation + iov pinning.
Title		ksmbd: fix OOB write in QUERY_INFO for compound requests
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/075ea208c648cc2bcd616295b711d3637c61de45 https://git.kernel.org/stable/c/515c2daab46021221bdf406bef19bc90a44ec617 https://git.kernel.org/stable/c/d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09 https://git.kernel.org/stable/c/fda9522ed6afaec45cabc198d8492270c394c7bc

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-22T08:15:10.873Z

Updated: 2026-04-22T08:15:10.873Z

Reserved: 2026-03-09T15:48:24.089Z

Link: CVE-2026-31432

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-22T09:16:21.410

Modified: 2026-04-22T09:16:21.410

Link: CVE-2026-31432

Redhat

Severity :

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31432 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-22T15:15:16Z

Weaknesses

CWE-131

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object