CVE-2026-31432

HIGH

ksmbd: fix OOB write in QUERY_INFO for compound requests

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix OOB write in QUERY_INFO for compound requests When a compound request such as READ + QUERY_INFO(Security) is received, and the first command (READ) consumes most of the response buffer, ksmbd could write beyond the allocated buffer while building a security descriptor. The root cause was that smb2_get_info_sec() checked buffer space using ppntsd_size from xattr, while build_sec_desc() often synthesized a significantly larger descriptor from POSIX ACLs. This patch introduces smb_acl_sec_desc_scratch_len() to accurately compute the final descriptor size beforehand, performs proper buffer checking with smb2_calc_max_out_buf_len(), and uses exact-sized allocation + iov pinning.

Scores

CVSS v3 8.8
EPSS 0.0051
EPSS Percentile 39.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-787
Status published
Products (22)
linux/Kernel 6.13.0 - 6.18.22linux
linux/Kernel 6.19.0 - 6.19.12linux
linux/Kernel 6.6.0 - 6.6.143linux
linux/Kernel 6.7.0 - 6.12.81linux
Linux/Linux < 6.6
Linux/Linux 5.15.145 - 5.16
Linux/Linux 6.1.71 - 6.2
Linux/Linux 6.12.81 - 6.12.*
Linux/Linux 6.18.22 - 6.18.*
Linux/Linux 6.19.12 - 6.19.*
... and 12 more
Published Apr 22, 2026
Tracked Since Apr 22, 2026