8.8

CVE-2026-31432

Medienbericht

ksmbd: fix OOB write in QUERY_INFO for compound requests

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix OOB write in QUERY_INFO for compound requests

When a compound request such as READ + QUERY_INFO(Security) is received,
and the first command (READ) consumes most of the response buffer,
ksmbd could write beyond the allocated buffer while building a security
descriptor.

The root cause was that smb2_get_info_sec() checked buffer space using
ppntsd_size from xattr, while build_sec_desc() often synthesized a
significantly larger descriptor from POSIX ACLs.

This patch introduces smb_acl_sec_desc_scratch_len() to accurately
compute the final descriptor size beforehand, performs proper buffer
checking with smb2_calc_max_out_buf_len(), and uses exact-sized
allocation + iov pinning.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 5.15.145 < 5.16
LinuxLinux Kernel Version >= 6.1.71 < 6.2
LinuxLinux Kernel Version >= 6.6 < 6.12.81
LinuxLinux Kernel Version >= 6.13 < 6.18.22
LinuxLinux Kernel Version >= 6.19 < 6.19.12
LinuxLinux Kernel Version7.0 Updaterc1
LinuxLinux Kernel Version7.0 Updaterc2
LinuxLinux Kernel Version7.0 Updaterc3
LinuxLinux Kernel Version7.0 Updaterc4
LinuxLinux Kernel Version7.0 Updaterc5
LinuxLinux Kernel Version7.0 Updaterc6
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.51% 0.391
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
05.06.2026 12:45
https://git.kernel.org/stable/c/d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09
Patch
https://git.kernel.org/stable/c/075ea208c648cc2bcd616295b711d3637c61de45
Patch
https://git.kernel.org/stable/c/515c2daab46021221bdf406bef19bc90a44ec617
Patch
https://git.kernel.org/stable/c/fda9522ed6afaec45cabc198d8492270c394c7bc
Patch