Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: require minimum ACE size in smb_check_perm_dacl()

Both ACE-walk loops in smb_check_perm_dacl() only guard against an
under-sized remaining buffer, not against an ACE whose declared
`ace->size` is smaller than the struct it claims to describe:

if (offsetof(struct smb_ace, access_req) > aces_size)
break;
ace_size = le16_to_cpu(ace->size);
if (ace_size > aces_size)
break;

The first check only requires the 4-byte ACE header to be in bounds;
it does not require access_req (4 bytes at offset 4) to be readable.
An attacker who has set a crafted DACL on a file they own can declare
ace->size == 4 with aces_size == 4, pass both checks, and then

granted |= le32_to_cpu(ace->access_req); /* upper loop */
compare_sids(&sid, &ace->sid); /* lower loop */

reads access_req at offset 4 (OOB by up to 4 bytes) and ace->sid at
offset 8 (OOB by up to CIFS_SID_BASE_SIZE + SID_MAX_SUB_AUTHORITIES
* 4 bytes).

Tighten both loops to require

ace_size >= offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE

which is the smallest valid on-wire ACE layout (4-byte header +
4-byte access_req + 8-byte sid base with zero sub-auths). Also
reject ACEs whose sid.num_subauth exceeds SID_MAX_SUB_AUTHORITIES
before letting compare_sids() dereference sub_auth[] entries.

parse_sec_desc() already enforces an equivalent check (lines 441-448);
smb_check_perm_dacl() simply grew weaker validation over time.

Reachability: authenticated SMB client with permission to set an ACL
on a file. On a subsequent CREATE against that file, the kernel
walks the stored DACL via smb_check_perm_dacl() and triggers the
OOB read. Not pre-auth, and the OOB read is not reflected to the
attacker, but KASAN reports and kernel state corruption are
possible.
Published: 2026-05-01
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ksmbd SMB server contains a flaw in smb_check_perm_dacl() where the size of Access Control Entries (ACEs) is insufficiently validated. An attacker with the ability to set a custom ACL on a file they own can craft an ACE whose declared size is only the 4‑byte header. The function’s checks then succeed, but subsequent reads of fields beyond the real end of the ACE (the access request and SID structures) trigger an out‑of‑bounds read. This read can corrupt kernel memory, which may result in a crash or other unreliable system behavior. The vulnerability does not directly leak data and is not pre‑authentication; however, kernel state corruption is possible, and the KASAN detector may report the fault.

Affected Systems

Any Linux kernel containing the ksmbd SMB implementation prior to the patch that introduced stricter ACE size validation is affected. The issue spans all configurations that enable smbfs and process ACLs for SMB shares; no specific distribution version is singled out, so any kernel version before the recent commit is considered vulnerable.

Risk and Exploitability

The flaw is not listed in the CISA KEV catalog and EPSS score is < 1%, with a CVSS score of 8.3. Reachability requires an authenticated SMB client that can modify the ACL on a file they own. After the ACL is stored, a subsequent CREATE operation on that file causes the kernel to walk the stored DACL and trigger the out‑of‑bounds read, potentially leading to kernel memory corruption or a crash. Because the vulnerability does not provide a direct data exfiltration path, the primary risk is system instability and possible denial of service. The likelihood of exploitation is uncertain, but the potential impact on availability and integrity is significant.

Generated by OpenCVE AI on May 3, 2026 at 07:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the ksmbd ACL size validation fix.
  • If a kernel upgrade is not immediately possible, disable ACL manipulation for SMB shares by configuring the share options to disallow setting ACLs.
  • Restrict SMB client permissions so that only trusted administrators can modify ACLs, and monitor KASAN logs for reports of out‑of‑bounds read errors.

Generated by OpenCVE AI on May 3, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References

Fri, 01 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: require minimum ACE size in smb_check_perm_dacl() Both ACE-walk loops in smb_check_perm_dacl() only guard against an under-sized remaining buffer, not against an ACE whose declared `ace->size` is smaller than the struct it claims to describe: if (offsetof(struct smb_ace, access_req) > aces_size) break; ace_size = le16_to_cpu(ace->size); if (ace_size > aces_size) break; The first check only requires the 4-byte ACE header to be in bounds; it does not require access_req (4 bytes at offset 4) to be readable. An attacker who has set a crafted DACL on a file they own can declare ace->size == 4 with aces_size == 4, pass both checks, and then granted |= le32_to_cpu(ace->access_req); /* upper loop */ compare_sids(&sid, &ace->sid); /* lower loop */ reads access_req at offset 4 (OOB by up to 4 bytes) and ace->sid at offset 8 (OOB by up to CIFS_SID_BASE_SIZE + SID_MAX_SUB_AUTHORITIES * 4 bytes). Tighten both loops to require ace_size >= offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE which is the smallest valid on-wire ACE layout (4-byte header + 4-byte access_req + 8-byte sid base with zero sub-auths). Also reject ACEs whose sid.num_subauth exceeds SID_MAX_SUB_AUTHORITIES before letting compare_sids() dereference sub_auth[] entries. parse_sec_desc() already enforces an equivalent check (lines 441-448); smb_check_perm_dacl() simply grew weaker validation over time. Reachability: authenticated SMB client with permission to set an ACL on a file. On a subsequent CREATE against that file, the kernel walks the stored DACL via smb_check_perm_dacl() and triggers the OOB read. Not pre-auth, and the OOB read is not reflected to the attacker, but KASAN reports and kernel state corruption are possible.
Title ksmbd: require minimum ACE size in smb_check_perm_dacl()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-03T05:45:35.398Z

Reserved: 2026-03-09T15:48:24.133Z

Link: CVE-2026-31712

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T14:16:21.270

Modified: 2026-05-03T07:16:18.563

Link: CVE-2026-31712

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31712 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-03T07:30:16Z

Weaknesses