CVE-2026-31707 - Vulnerability Details

- ksmbd: validate response sizes in ipc_validate_msg()

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: validate response sizes in ipc_validate_msg()

ipc_validate_msg() computes the expected message size for each
response type by adding (or multiplying) attacker-controlled fields
from the daemon response to a fixed struct size in unsigned int
arithmetic. Three cases can overflow:

KSMBD_EVENT_RPC_REQUEST:
msg_sz = sizeof(struct ksmbd_rpc_command) + resp->payload_sz;
KSMBD_EVENT_SHARE_CONFIG_REQUEST:
msg_sz = sizeof(struct ksmbd_share_config_response) +
resp->payload_sz;
KSMBD_EVENT_LOGIN_REQUEST_EXT:
msg_sz = sizeof(struct ksmbd_login_response_ext) +
resp->ngroups * sizeof(gid_t);

resp->payload_sz is __u32 and resp->ngroups is __s32. Each addition
can wrap in unsigned int; the multiplication by sizeof(gid_t) mixes
signed and size_t, so a negative ngroups is converted to SIZE_MAX
before the multiply. A wrapped value of msg_sz that happens to
equal entry->msg_sz bypasses the size check on the next line, and
downstream consumers (smb2pdu.c:6742 memcpy using rpc_resp->payload_sz,
kmemdup in ksmbd_alloc_user using resp_ext->ngroups) then trust the
unverified length.

Use check_add_overflow() on the RPC_REQUEST and SHARE_CONFIG_REQUEST
paths to detect integer overflow without constraining functional
payload size; userspace ksmbd-tools grows NDR responses in 4096-byte
chunks for calls like NetShareEnumAll, so a hard transport cap is
unworkable on the response side. For LOGIN_REQUEST_EXT, reject
resp->ngroups outside the signed [0, NGROUPS_MAX] range up front and
report the error from ipc_validate_msg() so it fires at the IPC
boundary; with that bound the subsequent multiplication and addition
stay well below UINT_MAX. The now-redundant ngroups check and
pr_err in ksmbd_alloc_user() are removed.

This is the response-side analogue of aab98e2dbd64 ("ksmbd: fix
integer overflows on 32 bit systems"), which hardened the request
side.

Published: 2026-05-01

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel ksmbd service contains a flaw where response message sizes are computed without proper bounds checking, leading to unsigned integer overflow. This allows an attacker to craft SMB responses that cause the kernel to accept an invalid, wrapped size value. When the overflowed size matches the expected size, subsequent memory operations such as memcpy and kmemdup are performed with the unverified length, creating a kernel memory corruption vulnerability.

Affected Systems

All Linux kernel builds that include the ksmbd SMB server subsystem without the listed patch are affected. No specific kernel versions are enumerated in the CVE data, so any pre‑patch kernel running ksmbd may be vulnerable.

Risk and Exploitability

The CVE does not provide a CVSS score or EPSS value, and it is not listed in the CISA KEV catalog. Based on the description, it is inferred that the exploit requires an attacker to send malicious SMB response messages over the network, implying a remote attack vector. The integer overflow can lead to uncontrolled memory reads or writes within the kernel, which could allow privilege escalation or denial of service if successfully triggered. The lack of an EPSS score suggests no data on current exploitation prevalence, but the severity of the overflow warrants attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 7dd0c858e1909769a4c91842724315ee74f1a5f1
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 299db777ea0cfa5c407e41b045c24a14c034c27b
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 99c631d0366c1eab8fb188fe66425f4581ebdde4
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< d6a6aa81eac2c9bff66dc6e191179cb69a14426b

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`6.12.84`	unaffected	≤ 6.12.*
`6.18.25`	unaffected	≤ 6.18.*
`7.0.2`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0626e6641f6b467447c81dd7678a69c66f7746cf,7dd0c858e1909769a4c91842724315ee74f1a5f1)`	affected	code_commit	—
`[0626e6641f6b467447c81dd7678a69c66f7746cf,299db777ea0cfa5c407e41b045c24a14c034c27b)`	affected	code_commit	—
`[0626e6641f6b467447c81dd7678a69c66f7746cf,99c631d0366c1eab8fb188fe66425f4581ebdde4)`	affected	code_commit	—
`[0626e6641f6b467447c81dd7678a69c66f7746cf,d6a6aa81eac2c9bff66dc6e191179cb69a14426b)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.15`	affected	semver	—
`[0,5.15)`	unaffected	semver	—
`[6.12.84,6.13.0)`	unaffected	semver	—
`[6.18.25,6.19.0)`	unaffected	semver	—
`[7.0.2,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that incorporates the ksmbd response size validation fix
If an immediate kernel upgrade is not possible, stop the ksmbd service or restrict SMB traffic to the host until the patch is deployed
Verify that no legacy ksmbd binaries or custom modules remain in use; remove or harden any custom SMB implementations

Generated by OpenCVE AI on May 2, 2026 at 10:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/299db777ea0cfa5c407e41b045c24a14c034c27b
https://git.kernel.org/stable/c/7dd0c858e1909769a4c91842724315ee74f1a5f1
https://git.kernel.org/stable/c/99c631d0366c1eab8fb188fe66425f4581ebdde4
https://git.kernel.org/stable/c/d6a6aa81eac2c9bff66dc6e191179cb69a14426b
https://lore.kernel.org/linux-cve-announce/2026050121-CVE-2026-31707-84d2@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31707
https://www.cve.org/CVERecord?id=CVE-2026-31707

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-131
References		https://lore.kernel.org/linux-cve-announce/2026050121-CVE-2026-31707-84d2@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31707 https://www.cve.org/CVERecord?id=CVE-2026-31707
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 01 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate response sizes in ipc_validate_msg() ipc_validate_msg() computes the expected message size for each response type by adding (or multiplying) attacker-controlled fields from the daemon response to a fixed struct size in unsigned int arithmetic. Three cases can overflow: KSMBD_EVENT_RPC_REQUEST: msg_sz = sizeof(struct ksmbd_rpc_command) + resp->payload_sz; KSMBD_EVENT_SHARE_CONFIG_REQUEST: msg_sz = sizeof(struct ksmbd_share_config_response) + resp->payload_sz; KSMBD_EVENT_LOGIN_REQUEST_EXT: msg_sz = sizeof(struct ksmbd_login_response_ext) + resp->ngroups * sizeof(gid_t); resp->payload_sz is __u32 and resp->ngroups is __s32. Each addition can wrap in unsigned int; the multiplication by sizeof(gid_t) mixes signed and size_t, so a negative ngroups is converted to SIZE_MAX before the multiply. A wrapped value of msg_sz that happens to equal entry->msg_sz bypasses the size check on the next line, and downstream consumers (smb2pdu.c:6742 memcpy using rpc_resp->payload_sz, kmemdup in ksmbd_alloc_user using resp_ext->ngroups) then trust the unverified length. Use check_add_overflow() on the RPC_REQUEST and SHARE_CONFIG_REQUEST paths to detect integer overflow without constraining functional payload size; userspace ksmbd-tools grows NDR responses in 4096-byte chunks for calls like NetShareEnumAll, so a hard transport cap is unworkable on the response side. For LOGIN_REQUEST_EXT, reject resp->ngroups outside the signed [0, NGROUPS_MAX] range up front and report the error from ipc_validate_msg() so it fires at the IPC boundary; with that bound the subsequent multiplication and addition stay well below UINT_MAX. The now-redundant ngroups check and pr_err in ksmbd_alloc_user() are removed. This is the response-side analogue of aab98e2dbd64 ("ksmbd: fix integer overflows on 32 bit systems"), which hardened the request side.
Title		ksmbd: validate response sizes in ipc_validate_msg()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/299db777ea0cfa5c407e41b045c24a14c034c27b https://git.kernel.org/stable/c/7dd0c858e1909769a4c91842724315ee74f1a5f1 https://git.kernel.org/stable/c/99c631d0366c1eab8fb188fe66425f4581ebdde4 https://git.kernel.org/stable/c/d6a6aa81eac2c9bff66dc6e191179cb69a14426b

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T13:56:05.219Z

Updated: 2026-05-01T13:56:05.219Z

Reserved: 2026-03-09T15:48:24.132Z

Link: CVE-2026-31707

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T14:16:20.720

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31707

Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31707 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T10:45:40Z

Weaknesses

CWE-131

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object