CVE-2026-31612 - Vulnerability Details

- ksmbd: validate EaNameLength in smb2_get_ea()

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: validate EaNameLength in smb2_get_ea()

smb2_get_ea() reads ea_req->EaNameLength from the client request and
passes it directly to strncmp() as the comparison length without
verifying that the length of the name really is the size of the input
buffer received.

Fix this up by properly checking the size of the name based on the value
received and the overall size of the request, to prevent a later
strncmp() call to use the length as a "trusted" size of the buffer.
Without this check, uninitialized heap values might be slowly leaked to
the client.

Published: 2026-04-24

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability originates in the ksmbd component of the Linux kernel, where a malformed SMB2 Extended Attribute (EA) request can cause the kernel to read the EaNameLength field directly as the comparison length for a strncmp() operation without verifying that the length is valid for the received buffer. This flaw can allow uninitialized heap data to be gradually leaked to the client through the flawed comparison, potentially exposing sensitive information.

Affected Systems

All Linux kernel variants that include ksmbd (the SMB server implementation) and have not yet incorporated the bundle of fixes that validate EaNameLength are affected. Specific version numbers are not disclosed in the CVE entry, so any kernel release prior to the patch should be considered vulnerable.

Risk and Exploitability

The severity score of 7.5 on the CVSS scale indicates a high impact, while the EPSS score of less than 1% suggests a low probability of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, further indicating limited known exploitation. A remote attacker who can reach the SMB service can send a crafted request to trigger the flaw, exploiting the lack of bound checking and potentially leaking confidential data. The attack vector is inferred to be network‑based, requiring only SMB protocol access from the client side.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< 859f11e1bc81a4d32bb3ceeae54bcd296ac675d3
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< 4b73376feecb3b61172fe5b4ff42bbbb8531669d
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< 551dfb15b182abad4600eaf7b37e6eb7000d5b1b
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< 3363a770b193f555f29d76ddf4ced3305c0ccf6d
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< 243b206bcb5a7137e8bddd57b2eec81e1ebd3859
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< dfc6878d14acafffbe670bf2576620757a10a3d8
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< 66751841212c2cc196577453c37f7774ff363f02

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`6.1.175`	unaffected	≤ 6.1.*
`6.6.136`	unaffected	≤ 6.6.*
`6.12.83`	unaffected	≤ 6.12.*
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0.1`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,4b73376feecb3b61172fe5b4ff42bbbb8531669d)`	affected	code_commit	—
`[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,551dfb15b182abad4600eaf7b37e6eb7000d5b1b)`	affected	code_commit	—
`[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,3363a770b193f555f29d76ddf4ced3305c0ccf6d)`	affected	code_commit	—
`[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,243b206bcb5a7137e8bddd57b2eec81e1ebd3859)`	affected	code_commit	—
`[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,dfc6878d14acafffbe670bf2576620757a10a3d8)`	affected	code_commit	—
`[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,66751841212c2cc196577453c37f7774ff363f02)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.15`	affected	generic	—
`[0,5.15)`	unaffected	generic	—
`[6.6.136,6.7.0)`	unaffected	semver	—
`[6.12.83,6.13.0)`	unaffected	semver	—
`[6.18.24,6.19.0)`	unaffected	semver	—
`[6.19.14,6.20.0)`	unaffected	semver	—
`[7.0.1,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to the latest release that includes the ksmbd EaNameLength validation fix.
If kernel upgrade is not immediately feasible, disable the ksmbd SMB service or limit it to trusted networks only.
Block external SMB traffic (TCP port 445) with a firewall until the patch is applied.

Generated by OpenCVE AI on April 29, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6238-1	linux security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00051.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/243b206bcb5a7137e8bddd57b2eec81e1ebd3859
https://git.kernel.org/stable/c/3363a770b193f555f29d76ddf4ced3305c0ccf6d
https://git.kernel.org/stable/c/4b73376feecb3b61172fe5b4ff42bbbb8531669d
https://git.kernel.org/stable/c/551dfb15b182abad4600eaf7b37e6eb7000d5b1b
https://git.kernel.org/stable/c/66751841212c2cc196577453c37f7774ff363f02
https://git.kernel.org/stable/c/859f11e1bc81a4d32bb3ceeae54bcd296ac675d3
https://git.kernel.org/stable/c/dfc6878d14acafffbe670bf2576620757a10a3d8
https://lore.kernel.org/linux-cve-announce/2026042422-CVE-2026-31612-24a7@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31612
https://www.cve.org/CVERecord?id=CVE-2026-31612

History

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/859f11e1bc81a4d32bb3ceeae54bcd296ac675d3

Wed, 29 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo

Mon, 27 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/4b73376feecb3b61172fe5b4ff42bbbb8531669d

Mon, 27 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/66751841212c2cc196577453c37f7774ff363f02

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-130
References		https://lore.kernel.org/linux-cve-announce/2026042422-CVE-2026-31612-24a7@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31612 https://www.cve.org/CVERecord?id=CVE-2026-31612

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate EaNameLength in smb2_get_ea() smb2_get_ea() reads ea_req->EaNameLength from the client request and passes it directly to strncmp() as the comparison length without verifying that the length of the name really is the size of the input buffer received. Fix this up by properly checking the size of the name based on the value received and the overall size of the request, to prevent a later strncmp() call to use the length as a "trusted" size of the buffer. Without this check, uninitialized heap values might be slowly leaked to the client.
Title		ksmbd: validate EaNameLength in smb2_get_ea()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/243b206bcb5a7137e8bddd57b2eec81e1ebd3859 https://git.kernel.org/stable/c/3363a770b193f555f29d76ddf4ced3305c0ccf6d https://git.kernel.org/stable/c/551dfb15b182abad4600eaf7b37e6eb7000d5b1b https://git.kernel.org/stable/c/dfc6878d14acafffbe670bf2576620757a10a3d8

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:42:32.760Z

Updated: 2026-06-01T16:12:33.890Z

Reserved: 2026-03-09T15:48:24.123Z

Link: CVE-2026-31612

Vulnrichment

No data.

NVD

Status : Modified

Published: 2026-04-24T15:16:40.460

Modified: 2026-06-01T17:16:51.730

Link: CVE-2026-31612

Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31612 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-29T21:45:20Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object