Description
In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix off-by-8 bounds check in check_wsl_eas()

The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA
name and value, but ea_data sits at offset sizeof(struct
smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp()
later reads ea->ea_data[0..nlen-1] and the value bytes follow at
ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1
+ vlen. Isn't pointer math fun?

The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the
8-byte header is in bounds, but since the last EA is placed within 8
bytes of the end of the response, the name and value bytes are read past
the end of iov.

Fix this mess all up by using ea->ea_data as the base for the bounds
check.

An "untrusted" server can use this to leak up to 8 bytes of kernel heap
into the EA name comparison and influence which WSL xattr the data is
interpreted as.
Published: 2026-04-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw exists in the Linux kernel SMB client, where an off‑by‑8 bounds check wrongly bases the limit on the EA header instead of the actual data block. This causes the code to read beyond the intended buffer during EA name or value comparison, resulting in a buffer under‑read. The vulnerability can expose up to 8 bytes of kernel heap memory to an attacker. The leak could be used to glean sensitive kernel data that might aid in building additional exploits such as privilege escalation.

Affected Systems

Any Linux system that includes the standard SMB/CIFS client implementation is potentially affected. The affected line is in the generic smb client code and applies to all kernel releases that have not applied the specific commit cited in the CVE advisory. No narrower vendor or version restrictions are listed; therefore the entire Linux kernel family that handles SMB extended attributes is considered at risk.

Risk and Exploitability

The CVSS score of 7.1 denotes a moderate to high severity for information disclosure. The EPSS score of less than 1% indicates that, as of now, exploitation attempts are expected to be rare. The vulnerability is not listed in the CISA KEV catalogue. The most likely attack vector is a remote attacker who controls an SMB server and sends crafted EA data to a victim host that connects to that server. The exploit requires only the SMB client to be active and no additional privileges on the victim side.

Generated by OpenCVE AI on April 29, 2026 at 21:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the commit referenced in the CVE advisory, thereby correcting the bounds check in the SMB client.
  • If a kernel update is not immediately available, block or restrict untrusted SMB traffic on the host using firewall rules or network segmentation to stop the attacker from delivering malicious EA payloads.
  • As a temporary measure, disable SMB/Windows share client functionality or configure the system to reject or ignore extended attributes if the SMB client is not required for operational purposes.

Generated by OpenCVE AI on April 29, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Wed, 29 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb: client: fix off-by-8 bounds check in check_wsl_eas() The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but ea_data sits at offset sizeof(struct smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp() later reads ea->ea_data[0..nlen-1] and the value bytes follow at ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1 + vlen. Isn't pointer math fun? The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the 8-byte header is in bounds, but since the last EA is placed within 8 bytes of the end of the response, the name and value bytes are read past the end of iov. Fix this mess all up by using ea->ea_data as the base for the bounds check. An "untrusted" server can use this to leak up to 8 bytes of kernel heap into the EA name comparison and influence which WSL xattr the data is interpreted as.
Title smb: client: fix off-by-8 bounds check in check_wsl_eas()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:05:35.541Z

Reserved: 2026-03-09T15:48:24.123Z

Link: CVE-2026-31614

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:40.663

Modified: 2026-04-29T18:03:40.233

Link: CVE-2026-31614

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31614 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:45:20Z

Weaknesses