Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: require 3 sub-authorities before reading sub_auth[2]

parse_dacl() compares each ACE SID against sid_unix_NFS_mode and on
match reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is
the prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() compares
only min(num_subauth, 2) sub-authorities so a client SID with
num_subauth = 2 and sub_auth = {88, 3} will match.

If num_subauth = 2 and the ACE is placed at the very end of the security
descriptor, sub_auth[2] will be 4 bytes past end_of_acl. The
out-of-band bytes will then be masked to the low 9 bits and applied as
the file's POSIX mode, probably not something that is good to have
happen.

Fix this up by forcing the SID to actually carry a third sub-authority
before reading it at all.
Published: 2026-04-24
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ksmbd component of the Linux kernel incorrectly processes the sub‑authority array of a Security Identifier (SID) when parsing Access Control Lists. If a SID contains only two sub‑authorities but matches the pattern S‑1‑5‑88‑3, the kernel reads sub_auth[2] beyond the allocated array. These out‑of‑bounds bytes are masked to the low nine bits and applied as the file’s POSIX mode. In effect, a client can cause the server to set arbitrary read, write, or execute permissions on files exposed via SMB, allowing privilege manipulation on shared resources. The flaw is a classic out-of-bounds read (CWE‑1285) that could lead to unintended permission changes.

Affected Systems

Affected systems are all releases of the Linux kernel that include the ksmbd subsystem and have not yet incorporated the commit that enforces a three‑sub‑authority requirement. No specific version numbers are listed in the advisory, so the risk applies to any kernel build where the vulnerability remains unpatched. The advisory lists only the generic vendor product “Linux:Linux”, indicating the issue is kernel‑wide rather than restricted to a particular distribution.

Risk and Exploitability

The vulnerability receives a CVSS score of 8.6, indicating high potential impact, while the EPSS score of under 1 percent shows a low probability of widespread exploitation at present. The attack vector is most likely remote, originating from a malicious SMB client that crafts a specially formatted ACL entry; the exploitation requires the client to supply a SID with two sub‑authorities matching the pattern S‑1‑5‑88‑3 and to place the entry at the end of the descriptor. The issue is not currently listed in CISA’s KEV catalog, which suggests no confirmed, active exploitation.

Generated by OpenCVE AI on April 29, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the ksmbd fix (commit 08f9e6d8 or later).
  • Restrict SMB access to trusted clients or apply network segmentation to limit exposure of ksmbd.
  • Audit file permission changes on files served over SMB to detect unexpected mode modifications.

Generated by OpenCVE AI on April 29, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Wed, 29 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H'}

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: require 3 sub-authorities before reading sub_auth[2] parse_dacl() compares each ACE SID against sid_unix_NFS_mode and on match reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is the prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() compares only min(num_subauth, 2) sub-authorities so a client SID with num_subauth = 2 and sub_auth = {88, 3} will match. If num_subauth = 2 and the ACE is placed at the very end of the security descriptor, sub_auth[2] will be 4 bytes past end_of_acl. The out-of-band bytes will then be masked to the low 9 bits and applied as the file's POSIX mode, probably not something that is good to have happen. Fix this up by forcing the SID to actually carry a third sub-authority before reading it at all.
Title ksmbd: require 3 sub-authorities before reading sub_auth[2]
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:12:09.434Z

Reserved: 2026-03-09T15:48:24.122Z

Link: CVE-2026-31611

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:40.360

Modified: 2026-04-29T16:56:48.940

Link: CVE-2026-31611

cve-icon Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31611 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:45:20Z

Weaknesses