Description
In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix OOB reads parsing symlink error response

When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message()
returns success without any length validation, leaving the symlink
parsers as the only defense against an untrusted server.

symlink_data() walks SMB 3.1.1 error contexts with the loop test "p <
end", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset
0. When the server-controlled ErrorDataLength advances p to within 1-7
bytes of end, the next iteration will read past it. When the matching
context is found, sym->SymLinkErrorTag is read at offset 4 from
p->ErrorContextData with no check that the symlink header itself fits.

smb2_parse_symlink_response() then bounds-checks the substitute name
using SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from
iov_base. That value is computed as sizeof(smb2_err_rsp) +
sizeof(smb2_symlink_err_rsp), which is correct only when
ErrorContextCount == 0.

With at least one error context the symlink data sits 8 bytes deeper,
and each skipped non-matching context shifts it further by 8 +
ALIGN(ErrorDataLength, 8). The check is too short, allowing the
substitute name read to run past iov_len. The out-of-bound heap bytes
are UTF-16-decoded into the symlink target and returned to userspace via
readlink(2).

Fix this all up by making the loops test require the full context header
to fit, rejecting sym if its header runs past end, and bound the
substitute name against the actual position of sym->PathBuffer rather
than a fixed offset.

Because sub_offs and sub_len are 16bits, the pointer math will not
overflow here with the new greater-than.
Published: 2026-04-24
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Disclosure via Out‑of‑Bounds Read
Action: Immediate Patch
AI Analysis

Impact

The Linux kernel SMB client contained an out‑of‑bounds read that occurs when parsing a symlink error response containing a STATUS_STOPPED_ON_SYMLINK code. The vulnerability arises because the parser advances the pointer without verifying that the entire context header and substitute name fit within the supplied buffer, allowing memory beyond the end of the input buffer to be read and returned to the caller via readlink(2). This allows an attacker to read arbitrary kernel heap data, potentially leaking sensitive information or influencing the client process, and corresponds to CWE‑125.

Affected Systems

The flaw exists in all Linux kernel builds that include the default SMB client before the patch released on 24 April 2026. No specific affected version list is provided, so any kernel containing the affected code is susceptible; the CNA data lists Linux as the impacted vendor.

Risk and Exploitability

The CVSS score of 8.1 indicates a high‑severity condition, while the EPSS score of less than 1 % suggests that, as of now, exploitation is unlikely to be widespread. The vulnerability is not included in the CISA KEV catalog. Attackers would need to control an SMB server or trick a Linux client into requesting a symlink operation with a maliciously crafted error response; if such a server is reachable from the client, the out‑of‑bounds read can be triggered and data can be exfiltrated.

Generated by OpenCVE AI on April 28, 2026 at 06:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest patched Linux kernel that incorporates the fix for CVE‑2026‑31613.
  • If a kernel update is not immediately feasible, block SMB traffic from untrusted networks and restrict the use of SMB client functionality.
  • Verify that no legacy SMB client code remains in the system and remove or disable unused SMB utilities.

Generated by OpenCVE AI on April 28, 2026 at 06:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 11:45:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H'}

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB reads parsing symlink error response When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message() returns success without any length validation, leaving the symlink parsers as the only defense against an untrusted server. symlink_data() walks SMB 3.1.1 error contexts with the loop test "p < end", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset 0. When the server-controlled ErrorDataLength advances p to within 1-7 bytes of end, the next iteration will read past it. When the matching context is found, sym->SymLinkErrorTag is read at offset 4 from p->ErrorContextData with no check that the symlink header itself fits. smb2_parse_symlink_response() then bounds-checks the substitute name using SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from iov_base. That value is computed as sizeof(smb2_err_rsp) + sizeof(smb2_symlink_err_rsp), which is correct only when ErrorContextCount == 0. With at least one error context the symlink data sits 8 bytes deeper, and each skipped non-matching context shifts it further by 8 + ALIGN(ErrorDataLength, 8). The check is too short, allowing the substitute name read to run past iov_len. The out-of-bound heap bytes are UTF-16-decoded into the symlink target and returned to userspace via readlink(2). Fix this all up by making the loops test require the full context header to fit, rejecting sym if its header runs past end, and bound the substitute name against the actual position of sym->PathBuffer rather than a fixed offset. Because sub_offs and sub_len are 16bits, the pointer math will not overflow here with the new greater-than.
Title smb: client: fix OOB reads parsing symlink error response
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T11:25:53.977Z

Reserved: 2026-03-09T15:48:24.123Z

Link: CVE-2026-31613

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:40.560

Modified: 2026-04-28T15:13:18.267

Link: CVE-2026-31613

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31613 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T06:30:24Z

Weaknesses