CVE-2026-31704 - Vulnerability Details

- ksmbd: use check_add_overflow() to prevent u16 DACL size overflow

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: use check_add_overflow() to prevent u16 DACL size overflow

set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes
in u16 variables. When a file has many POSIX ACL entries, the
accumulated size can wrap past 65535, causing the pointer arithmetic
(char *)pndace + *size to land within already-written ACEs. Subsequent
writes then overwrite earlier entries, and pndacl->size gets a
truncated value.

Use check_add_overflow() at each accumulation point to detect the
wrap before it corrupts the buffer, consistent with existing
check_mul_overflow() usage elsewhere in smbacl.c.

Published: 2026-05-01

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The ksmbd component in the Linux kernel aggregates the sizes of POSIX and NT access control entries in unsigned 16‑bit counters. If a file contains many ACL entries the accumulated size can wrap past 65535. The subsequent pointer arithmetic then points into a region of the buffer that has already been written, causing overwrites that corrupt earlier entries and truncate the ACL size field. This integrity violation in a kernel data structure can subvert permission checks or inject malicious data, allowing an attacker to elevate privileges or execute code at kernel level.

Affected Systems

All Linux kernel releases that include the ksmbd SMB server component are potentially affected until the patch commits are applied. The fix was introduced in commit 299f962c0b02d048fb45d248b4da493d03f3175d, so any kernel older than that is vulnerable.

Risk and Exploitability

An attacker with network access to a ksmbd‑enabled SMB service can send crafted ACL entries to trigger the integer overflow. Because the error occurs in kernel space, successful exploitation can lead to privilege escalation or arbitrary code execution. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog; no CVSS score was supplied, but kernel‑level impact indicates high severity. The attack requires only the ability to influence ACL creation over SMB, with no local privilege escalation prerequisite.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< 8d5729350b236896f51379588d9a690b7fafb8db
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< e1955a94b6f17f4b058afa955a6f187eb3ed7615
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< 5e7b8f3c539d69b2ed5f2408e2f75e68ce7eef43
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< ef7902be3f215b6bf7babe4dc9dd9a7d57dad7a7
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< 299f962c0b02d048fb45d248b4da493d03f3175d

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`6.6.136`	unaffected	≤ 6.6.*
`6.12.84`	unaffected	≤ 6.12.*
`6.18.25`	unaffected	≤ 6.18.*
`7.0.2`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,8d5729350b236896f51379588d9a690b7fafb8db)`	affected	code_commit	—
`[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,e1955a94b6f17f4b058afa955a6f187eb3ed7615)`	affected	code_commit	—
`[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,5e7b8f3c539d69b2ed5f2408e2f75e68ce7eef43)`	affected	code_commit	—
`[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,ef7902be3f215b6bf7babe4dc9dd9a7d57dad7a7)`	affected	code_commit	—
`[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,299f962c0b02d048fb45d248b4da493d03f3175d)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.15`	affected	generic	—
`[0,5.15)`	unaffected	semver	—
`[6.6.136,6.7.0)`	unaffected	semver	—
`[6.12.84,6.13.0)`	unaffected	semver	—
`[6.18.25,6.19.0)`	unaffected	semver	—
`[7.0.2,7.1.0)`	unaffected	semver	—
`7.1-rc1`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the commit 299f962c0b02d048fb45d248b4da493d03f3175d or later which implements the overflow check.
If an immediate kernel upgrade is not possible, disable the ksmbd SMB service or restrict its operation to trusted networks only.
Use firewall rules or network segmentation to block or limit SMB traffic from untrusted hosts to reduce exposure while the kernel is upgraded.

Generated by OpenCVE AI on May 2, 2026 at 10:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/299f962c0b02d048fb45d248b4da493d03f3175d
https://git.kernel.org/stable/c/5e7b8f3c539d69b2ed5f2408e2f75e68ce7eef43
https://git.kernel.org/stable/c/8d5729350b236896f51379588d9a690b7fafb8db
https://git.kernel.org/stable/c/e1955a94b6f17f4b058afa955a6f187eb3ed7615
https://git.kernel.org/stable/c/ef7902be3f215b6bf7babe4dc9dd9a7d57dad7a7
https://lore.kernel.org/linux-cve-announce/2026050120-CVE-2026-31704-1144@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31704
https://www.cve.org/CVERecord?id=CVE-2026-31704

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-190
References		https://lore.kernel.org/linux-cve-announce/2026050120-CVE-2026-31704-1144@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31704 https://www.cve.org/CVERecord?id=CVE-2026-31704

Fri, 01 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ksmbd: use check_add_overflow() to prevent u16 DACL size overflow set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes in u16 variables. When a file has many POSIX ACL entries, the accumulated size can wrap past 65535, causing the pointer arithmetic (char )pndace + size to land within already-written ACEs. Subsequent writes then overwrite earlier entries, and pndacl->size gets a truncated value. Use check_add_overflow() at each accumulation point to detect the wrap before it corrupts the buffer, consistent with existing check_mul_overflow() usage elsewhere in smbacl.c.
Title		ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/299f962c0b02d048fb45d248b4da493d03f3175d https://git.kernel.org/stable/c/5e7b8f3c539d69b2ed5f2408e2f75e68ce7eef43 https://git.kernel.org/stable/c/8d5729350b236896f51379588d9a690b7fafb8db https://git.kernel.org/stable/c/e1955a94b6f17f4b058afa955a6f187eb3ed7615 https://git.kernel.org/stable/c/ef7902be3f215b6bf7babe4dc9dd9a7d57dad7a7

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T13:56:03.243Z

Updated: 2026-05-01T13:56:03.243Z

Reserved: 2026-03-09T15:48:24.132Z

Link: CVE-2026-31704

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T14:16:20.367

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31704

Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31704 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-01T22:15:27Z

Weaknesses

CWE-190

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object