Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix OOB write in QUERY_INFO for compound requests

When a compound request such as READ + QUERY_INFO(Security) is received,
and the first command (READ) consumes most of the response buffer,
ksmbd could write beyond the allocated buffer while building a security
descriptor.

The root cause was that smb2_get_info_sec() checked buffer space using
ppntsd_size from xattr, while build_sec_desc() often synthesized a
significantly larger descriptor from POSIX ACLs.

This patch introduces smb_acl_sec_desc_scratch_len() to accurately
compute the final descriptor size beforehand, performs proper buffer
checking with smb2_calc_max_out_buf_len(), and uses exact-sized
allocation + iov pinning.
Published: 2026-04-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-bounds write in kernel SMB daemon leading to potential memory corruption and privilege escalation
Action: Apply Patch
AI Analysis

Impact

A compound SMB request that performs a READ followed by a QUERY_INFO(Security) operation triggers a buffer overrun in the Linux ksmbd service. During this operation the kernel incorrectly calculates the size of the security descriptor and writes beyond the allocated buffer, creating a memory corruption condition. This flaw can be leveraged by an attacker to corrupt kernel memory, potentially escalating privileges to root. The vulnerability is rooted in an inaccurate buffer size check and improper allocation logic for synthesizing POSIX ACL descriptors.

Affected Systems

All Linux kernel releases that include the ksmbd SMB daemon and have not incorporated the patch from commit 075ea208c648cc2bcd616295b711d3637c61de45. Systems running SMB services via ksmbd with exposed interfaces to untrusted clients are affected.

Risk and Exploitability

The flaw can be exploited over SMB traffic, as a crafted SMB compound request could trigger the buffer overrun. This inference is based on the description of the vulnerability in the ksmbd service. The CVSS score is 8.8, classifying this vulnerability as High severity. The EPSS score is < 1% and the vulnerability is not listed in KEV, indicating a low probability of exploitation and no current known exploitation in the wild, but the presence of an out-of-bounds write in kernel space still represents a high severity risk.

Generated by OpenCVE AI on April 28, 2026 at 08:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the ksmbd out‑of‑bounds write fix (the patch commit addresses the buffer size error).
  • If an immediate kernel upgrade is not feasible, block or restrict SMB traffic from untrusted networks using firewall rules and deny SMB connections from unknown hosts.
  • If ksmbd is not required for business operations, disable the service or replace it with a non‑kernel SMB implementation that does not expose the vulnerable path.

Generated by OpenCVE AI on April 28, 2026 at 08:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Thu, 21 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 22 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References

Wed, 22 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix OOB write in QUERY_INFO for compound requests When a compound request such as READ + QUERY_INFO(Security) is received, and the first command (READ) consumes most of the response buffer, ksmbd could write beyond the allocated buffer while building a security descriptor. The root cause was that smb2_get_info_sec() checked buffer space using ppntsd_size from xattr, while build_sec_desc() often synthesized a significantly larger descriptor from POSIX ACLs. This patch introduces smb_acl_sec_desc_scratch_len() to accurately compute the final descriptor size beforehand, performs proper buffer checking with smb2_calc_max_out_buf_len(), and uses exact-sized allocation + iov pinning.
Title ksmbd: fix OOB write in QUERY_INFO for compound requests
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:08:35.779Z

Reserved: 2026-03-09T15:48:24.089Z

Link: CVE-2026-31432

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T09:16:21.410

Modified: 2026-05-21T17:28:57.847

Link: CVE-2026-31432

cve-icon Redhat

Severity :

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31432 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:30:13Z

Weaknesses