Description
In the Linux kernel, the following vulnerability has been resolved:

smb: client: validate the whole DACL before rewriting it in cifsacl

build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a
server-supplied dacloffset and then use the incoming ACL to rebuild the
chmod/chown security descriptor.

The original fix only checked that the struct smb_acl header fits before
reading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate
header-field OOB read, but the rewrite helpers still walk ACEs based on
pdacl->num_aces with no structural validation of the incoming DACL body.

A malicious server can return a truncated DACL that still contains a
header, claims one or more ACEs, and then drive
replace_sids_and_copy_aces() or set_chmod_dacl() past the validated
extent while they compare or copy attacker-controlled ACEs.

Factor the DACL structural checks into validate_dacl(), extend them to
validate each ACE against the DACL bounds, and use the shared validator
before the chmod/chown rebuild paths. parse_dacl() reuses the same
validator so the read-side parser and write-side rewrite paths agree on
what constitutes a well-formed incoming DACL.
Published: 2026-05-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel SMB client rewrites local security descriptors from ACL data supplied by remote servers, but the original validation only checked the ACL header bounds and did not verify that the number of ACEs claimed by the header matched the actual data. Because the rewrite helpers walk the ACE list based on an unverified "num_aces" field, a malicious SMB server can deliver a truncated DACL that claims additional ACEs and cause the kernel to read past the validated region while comparing or copying attacker‑controlled ACE entries. When the kernel processes these malformed ACEs, it may incorrectly grant, deny, or alter permissions on local files, effectively bypassing the client’s authorization controls. The attack therefore enables unauthorized permission modification and can lead to privilege escalation, particularly when the client owner is not expecting changes from the server. This weakness corresponds to CWE‑1288, where external input manipulates critical authorization state. The vulnerability can be exploited over the network by any SMB client that connects to a rogue or compromised SMB server. No additional local privileges are required; the attack relies solely on the client’s acceptance of the server’s response. The low EPSS score (<1%) indicates that exploitation opportunities are currently limited, but the high CVSS score (8.8) shows the potential impact if this flaw is leveraged.

Affected Systems

All Linux systems whose kernel incorporates the SMB client but lacks the DACL validation patch are affected. The fix was introduced in kernel commits 0a8cf165566ba55a39fd0f4de172119dd646d39a and b78db9bddc84136f6a0bb49e8883cf200dfb87a8. Any Linux kernel version before these commits, regardless of distribution, is vulnerable. Distribution‑specific kernel packages older than the patched versions are also at risk.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, but the EPSS score is very low (<1%), showing that exploitation is unlikely at present. The vulnerability is not listed in CISA KEV. An attacker would establish an SMB session with the client and send a malformed DACL that claims one or more ACEs. The kernel then processes those ACEs, potentially rewriting local file permissions. The attack requires no additional privileges beyond being a trusted SMB server; the kernel’s SMB client will accept the connection and replay the supplied ACL. No publicly documented exploitation tool exists yet, but the code paths are present. Because the flaw allows an attacker to alter the permission state of local files, the risk is amplified if the affected system is exposed to untrusted or malicious SMB traffic. The attack vector is network‑based via SMB, and the threat is directed at systems that communicate with non‑trusted SMB servers.

Generated by OpenCVE AI on May 3, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a build that contains the DACL validation patch (commit 0a8cf165566ba55a39fd0f4de172119dd646d39a or later).
  • Configure the SMB client to trust only known SMB servers, for example by restricting SMB traffic to a specific set of hosts or a VPN.
  • Disable SMBv1 support on the client kernel and only enable SMB2/SMB3 to reduce surface area for related kernel bugs.

Generated by OpenCVE AI on May 3, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1288
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 01 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL before rewriting it in cifsacl build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild the chmod/chown security descriptor. The original fix only checked that the struct smb_acl header fits before reading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate header-field OOB read, but the rewrite helpers still walk ACEs based on pdacl->num_aces with no structural validation of the incoming DACL body. A malicious server can return a truncated DACL that still contains a header, claims one or more ACEs, and then drive replace_sids_and_copy_aces() or set_chmod_dacl() past the validated extent while they compare or copy attacker-controlled ACEs. Factor the DACL structural checks into validate_dacl(), extend them to validate each ACE against the DACL bounds, and use the shared validator before the chmod/chown rebuild paths. parse_dacl() reuses the same validator so the read-side parser and write-side rewrite paths agree on what constitutes a well-formed incoming DACL.
Title smb: client: validate the whole DACL before rewriting it in cifsacl
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-03T05:45:33.109Z

Reserved: 2026-03-09T15:48:24.133Z

Link: CVE-2026-31709

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T14:16:20.950

Modified: 2026-05-03T07:16:18.310

Link: CVE-2026-31709

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31709 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-03T09:30:16Z

Weaknesses