Description
In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path

smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL
and the default QUERY_INFO path. The QUERY_INFO branch clamps
qi.input_buffer_length to the server-reported OutputBufferLength and then
copies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but
it never verifies that the flexible-array payload actually fits within
rsp_iov[1].iov_len.

A malicious server can return OutputBufferLength larger than the actual
QUERY_INFO response, causing copy_to_user() to walk past the response
buffer and expose adjacent kernel heap to userspace.

Guard the QUERY_INFO copy with a bounds check on the actual Buffer
payload. Use struct_size(qi_rsp, Buffer, qi.input_buffer_length)
rather than an open-coded addition so the guard cannot overflow on
32-bit builds.
Published: 2026-05-01
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises in the Linux kernel SMB client when the smb2_ioctl_query_info() routine copies a variable‑length server response to userspace without verifying that the buffer length fits within the actual allocated response. A malicious SMB server can provide an OutputBufferLength larger than the actual data payload, causing copy_to_user() to read past the end of the buffer and expose adjacent kernel heap contents to a user process. The flaw leads to an out‑of‑bounds read that can disclose sensitive kernel memory, which is a serious confidentiality risk (CWE‑125).

Affected Systems

All Linux kernel systems that include the SMB2 client are affected. The vulnerability is present in the kernel’s SMB2 implementation before the patch referenced in the advisory. Specific vendor‑version information is not enumerated, so any kernel build that contains the unpatched smb2_ioctl_query_info() code is potentially vulnerable.

Risk and Exploitability

The probability of exploitation is not quantified (EPSS not available) and the vulnerability is not listed in CISA’s KEV catalog. The CVSS score of 7.0 indicates a high severity, aligned with the kernel memory disclosure risk. However, the flaw can be exploited remotely whenever a Linux host communicates with a malicious SMB server: the attacker controls the SMB response, so a remote SMB server can trigger the OOB read. The lack of bounds checking in the client code creates a straightforward attack path for an attacker with SMB access.

Generated by OpenCVE AI on May 2, 2026 at 10:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the patch to smb2_ioctl_query_info() as referenced in the advisory.
  • If the system cannot be updated immediately, restrict SMB client usage by blocking outbound SMB traffic to untrusted servers or using firewall rules to prevent SMB connections.
  • Monitor for anomalous SMB traffic or unexpected interactions with the SMB client that might indicate exploitation attempts.

Generated by OpenCVE AI on May 2, 2026 at 10:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Sat, 02 May 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Fri, 01 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL and the default QUERY_INFO path. The QUERY_INFO branch clamps qi.input_buffer_length to the server-reported OutputBufferLength and then copies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but it never verifies that the flexible-array payload actually fits within rsp_iov[1].iov_len. A malicious server can return OutputBufferLength larger than the actual QUERY_INFO response, causing copy_to_user() to walk past the response buffer and expose adjacent kernel heap to userspace. Guard the QUERY_INFO copy with a bounds check on the actual Buffer payload. Use struct_size(qi_rsp, Buffer, qi.input_buffer_length) rather than an open-coded addition so the guard cannot overflow on 32-bit builds.
Title smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T13:56:05.880Z

Reserved: 2026-03-09T15:48:24.132Z

Link: CVE-2026-31708

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T14:16:20.837

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31708

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31708 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T23:45:09Z

Weaknesses