7.1

CVE-2026-31614

EPSS 0.01%
Veröffentlicht 24.04.2026 14:42:34
Zuletzt bearbeitet 29.04.2026 18:03:40
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

smb: client: fix off-by-8 bounds check in check_wsl_eas()

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix off-by-8 bounds check in check_wsl_eas()

The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA
name and value, but ea_data sits at offset sizeof(struct
smb2_file_full_ea_info) = 8 from ea, not at offset 0.  The strncmp()
later reads ea->ea_data[0..nlen-1] and the value bytes follow at
ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1
+ vlen.  Isn't pointer math fun?

The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the
8-byte header is in bounds, but since the last EA is placed within 8
bytes of the end of the response, the name and value bytes are read past
the end of iov.

Fix this mess all up by using ea->ea_data as the base for the bounds
check.

An "untrusted" server can use this to leak up to 8 bytes of kernel heap
into the EA name comparison and influence which WSL xattr the data is
interpreted as.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

NVD 5 VulnDex Vulnerability Enrichment 12

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 6.6.32 < 6.6.136

Linux ≫ Linux Kernel Version >= 6.9 < 6.12.83

Linux ≫ Linux Kernel Version >= 6.13 < 6.18.24

Linux ≫ Linux Kernel Version >= 6.19 < 6.19.14

Linux ≫ Linux Kernel Version >= 7.0 < 7.0.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.024

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.1	1.8	5.2	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/5cc0574c84aa73946ade587c41e81757b8b01cb5

Patch

https://git.kernel.org/stable/c/b2b76d09a64c538c57006180103fc1841e8cfa66

Patch

https://git.kernel.org/stable/c/ba3ad159aa61810bbe0acaf39578b1ebfb6f1a18

Patch

https://git.kernel.org/stable/c/a893f1757d9a4009e4a8d7ceb2312142fe29cea4

Patch

https://git.kernel.org/stable/c/3d8b9d06bd3ac4c6846f5498800b0f5f8062e53b

Patch

https://git.kernel.org/stable/c/bfbc74df8bbe095b3ed68f6d4487b368af087890

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-31614

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-31614

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-31614

EUVD