Description
In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path

smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL
and the default QUERY_INFO path. The QUERY_INFO branch clamps
qi.input_buffer_length to the server-reported OutputBufferLength and then
copies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but
it never verifies that the flexible-array payload actually fits within
rsp_iov[1].iov_len.

A malicious server can return OutputBufferLength larger than the actual
QUERY_INFO response, causing copy_to_user() to walk past the response
buffer and expose adjacent kernel heap to userspace.

Guard the QUERY_INFO copy with a bounds check on the actual Buffer
payload. Use struct_size(qi_rsp, Buffer, qi.input_buffer_length)
rather than an open-coded addition so the guard cannot overflow on
32-bit builds.
Published: 2026-05-01
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises in the Linux kernel SMB client when the smb2_ioctl_query_info() routine copies a variable‑length server response to userspace without verifying that the buffer length fits within the actual allocated response. The client clamps qi.input_buffer_length to the server‑reported OutputBufferLength, but does not check that the flexible‑array payload actually fits within rsp_iov[1].iov_len, allowing a malicious SMB server to provide an OutputBufferLength larger than the actual response. The copy_to_user call then reads past the end of the buffer and exposes adjacent kernel heap contents to the user process, leading to a kernel memory disclosure. This out‑of‑bounds read is a confidentiality breach linked to CWE‑125 and CWE‑805.

Affected Systems

Any Linux system that ships the unpatched SMB2 client in its kernel is potentially vulnerable. The flaw exists in all kernel builds that include the legacy smb2_ioctl_query_info() implementation prior to the commit that mitigates the bounds check. Since the SMB client is part of the core kernel, the vulnerability is vendor‑agnostic and applies to all distributions that have not applied the patch.

Risk and Exploitability

Based on the description, it is inferred that a remote attacker can exploit the vulnerability by controlling the SMB traffic to a victim host. The likely attack vector is a malicious SMB server that returns a crafted response with an inflated OutputBufferLength. The EPSS score of less than 1% indicates a very low probability of exploitation overall, but the CVSS score of 8.1 demonstrates high severity. The flaw is not listed in CISA’s KEV catalog. Attacks would require the victim to initiate an SMB connection to the attacker’s server to trigger the out‑of‑bounds read, making the attack feasible against any SMB user or service that connects to untrusted servers.

Generated by OpenCVE AI on May 6, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the commit which fixes the out‑of‑bounds read in smb2_ioctl_query_info()
  • If the system does not require SMB client functionality, disable or unload the smb2 module to remove the vulnerable code path
  • Configure firewall rules to restrict outbound SMB traffic (TCP ports 445, 137‑139) to trusted servers only until a kernel update is applied

Generated by OpenCVE AI on May 6, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H'}

Sat, 02 May 2026 11:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Sat, 02 May 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Fri, 01 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL and the default QUERY_INFO path. The QUERY_INFO branch clamps qi.input_buffer_length to the server-reported OutputBufferLength and then copies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but it never verifies that the flexible-array payload actually fits within rsp_iov[1].iov_len. A malicious server can return OutputBufferLength larger than the actual QUERY_INFO response, causing copy_to_user() to walk past the response buffer and expose adjacent kernel heap to userspace. Guard the QUERY_INFO copy with a bounds check on the actual Buffer payload. Use struct_size(qi_rsp, Buffer, qi.input_buffer_length) rather than an open-coded addition so the guard cannot overflow on 32-bit builds.
Title smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:14:13.270Z

Reserved: 2026-03-09T15:48:24.132Z

Link: CVE-2026-31708

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T14:16:20.837

Modified: 2026-05-06T20:25:14.280

Link: CVE-2026-31708

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31708 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:30:13Z

Weaknesses