CVE-2026-31704 - Vulnerability Details

- ksmbd: use check_add_overflow() to prevent u16 DACL size overflow

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: use check_add_overflow() to prevent u16 DACL size overflow

set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes
in u16 variables. When a file has many POSIX ACL entries, the
accumulated size can wrap past 65535, causing the pointer arithmetic
(char *)pndace + *size to land within already-written ACEs. Subsequent
writes then overwrite earlier entries, and pndacl->size gets a
truncated value.

Use check_add_overflow() at each accumulation point to detect the
wrap before it corrupts the buffer, consistent with existing
check_mul_overflow() usage elsewhere in smbacl.c.

Published: 2026-05-01

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s ksmbd SMB server component calculates the size of access control entries in unsigned 16‑bit counters. When a file contains many POSIX or NT ACL entries, the accumulated size can wrap beyond 65535, causing pointer arithmetic to address memory inside an already‑written block. The subsequent writes overwrite earlier entries and truncate the ACL size field, resulting in corruption of kernel data structures that hold permissions. The weakness is identified as an integer overflow (CWE‑190).

Affected Systems

All Linux kernels that include the ksmbd service are potentially affected until the fix is applied. The vulnerability was addressed with commit 299f962c0b02d048fb45d248b4da493d03f3175d; any kernel version prior to that commit is vulnerable.

Risk and Exploitability

An attacker who can control ACL entries sent over SMB can trigger this overflow. Successful exploitation could corrupt kernel memory, potentially undermining access checks. The CVSS score of 5.5 indicates medium severity, the EPSS score of less than 1% suggests a low likelihood of exploitation, and the vulnerability is not listed in CISA KEV. The attack requires only network access to a ksmbd‑enabled SMB service and does not rely on local privilege escalation prerequisites.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< 8d5729350b236896f51379588d9a690b7fafb8db
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< e1955a94b6f17f4b058afa955a6f187eb3ed7615
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< 5e7b8f3c539d69b2ed5f2408e2f75e68ce7eef43
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< ef7902be3f215b6bf7babe4dc9dd9a7d57dad7a7
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< 299f962c0b02d048fb45d248b4da493d03f3175d

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`6.6.136`	unaffected	≤ 6.6.*
`6.12.84`	unaffected	≤ 6.12.*
`6.18.25`	unaffected	≤ 6.18.*
`7.0.2`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,8d5729350b236896f51379588d9a690b7fafb8db)`	affected	code_commit	—
`[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,e1955a94b6f17f4b058afa955a6f187eb3ed7615)`	affected	code_commit	—
`[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,5e7b8f3c539d69b2ed5f2408e2f75e68ce7eef43)`	affected	code_commit	—
`[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,ef7902be3f215b6bf7babe4dc9dd9a7d57dad7a7)`	affected	code_commit	—
`[e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9,299f962c0b02d048fb45d248b4da493d03f3175d)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.15`	affected	generic	—
`[0,5.15)`	unaffected	semver	—
`[6.6.136,6.7.0)`	unaffected	semver	—
`[6.12.84,6.13.0)`	unaffected	semver	—
`[6.18.25,6.19.0)`	unaffected	semver	—
`[7.0.2,7.1.0)`	unaffected	semver	—
`7.1-rc1`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a release that includes commit 299f962c0b02d048fb45d248b4da493d03f3175d or later.
If an immediate kernel upgrade is not feasible, disable the ksmbd service or limit it to trusted internal networks.
Implement firewall rules or network segmentation to block SMB traffic from untrusted hosts while the kernel is patched.

Generated by OpenCVE AI on May 6, 2026 at 23:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/299f962c0b02d048fb45d248b4da493d03f3175d
https://git.kernel.org/stable/c/5e7b8f3c539d69b2ed5f2408e2f75e68ce7eef43
https://git.kernel.org/stable/c/8d5729350b236896f51379588d9a690b7fafb8db
https://git.kernel.org/stable/c/e1955a94b6f17f4b058afa955a6f187eb3ed7615
https://git.kernel.org/stable/c/ef7902be3f215b6bf7babe4dc9dd9a7d57dad7a7
https://lore.kernel.org/linux-cve-announce/2026050120-CVE-2026-31704-1144@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31704
https://www.cve.org/CVERecord?id=CVE-2026-31704

History

Wed, 06 May 2026 21:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-190
References		https://lore.kernel.org/linux-cve-announce/2026050120-CVE-2026-31704-1144@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31704 https://www.cve.org/CVERecord?id=CVE-2026-31704

Fri, 01 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ksmbd: use check_add_overflow() to prevent u16 DACL size overflow set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes in u16 variables. When a file has many POSIX ACL entries, the accumulated size can wrap past 65535, causing the pointer arithmetic (char )pndace + size to land within already-written ACEs. Subsequent writes then overwrite earlier entries, and pndacl->size gets a truncated value. Use check_add_overflow() at each accumulation point to detect the wrap before it corrupts the buffer, consistent with existing check_mul_overflow() usage elsewhere in smbacl.c.
Title		ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/299f962c0b02d048fb45d248b4da493d03f3175d https://git.kernel.org/stable/c/5e7b8f3c539d69b2ed5f2408e2f75e68ce7eef43 https://git.kernel.org/stable/c/8d5729350b236896f51379588d9a690b7fafb8db https://git.kernel.org/stable/c/e1955a94b6f17f4b058afa955a6f187eb3ed7615 https://git.kernel.org/stable/c/ef7902be3f215b6bf7babe4dc9dd9a7d57dad7a7

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T13:56:03.243Z

Updated: 2026-05-11T22:14:08.692Z

Reserved: 2026-03-09T15:48:24.132Z

Link: CVE-2026-31704

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-01T14:16:20.367

Modified: 2026-05-06T20:46:54.840

Link: CVE-2026-31704

Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31704 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-06T23:45:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object