CVE-2026-31433
Received Received - Intake
Out-of-Bounds Write in Linux ksmbd get_file_all_info

Publication date: 2026-04-22

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potencial OOB in get_file_all_info() for compound requests When a compound request consists of QUERY_DIRECTORY + QUERY_INFO (FILE_ALL_INFORMATION) and the first command consumes nearly the entire max_trans_size, get_file_all_info() would blindly call smbConvertToUTF16() with PATH_MAX, causing out-of-bounds write beyond the response buffer. In get_file_all_info(), there was a missing validation check for the client-provided OutputBufferLength before copying the filename into FileName field of the smb2_file_all_info structure. If the filename length exceeds the available buffer space, it could lead to potential buffer overflows or memory corruption during smbConvertToUTF16 conversion. This calculating the actual free buffer size using smb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is insufficient and updating smbConvertToUTF16 to use the actual filename length (clamped by PATH_MAX) to ensure a safe copy operation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31433
EUVD
EUVD-2026-24641
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel ksmbd *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by fixing the ksmbd component to properly validate the OutputBufferLength and safely handle filename length during smbConvertToUTF16 conversion.

Immediate mitigation steps include updating your Linux kernel to a version that contains this fix for ksmbd to prevent potential out-of-bounds writes and memory corruption.


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's ksmbd component, specifically in the get_file_all_info() function handling compound requests that include QUERY_DIRECTORY and QUERY_INFO (FILE_ALL_INFORMATION). When the first command in such a request nearly consumes the maximum transaction size, get_file_all_info() calls smbConvertToUTF16() with a fixed size (PATH_MAX) without properly validating the client-provided OutputBufferLength. This lack of validation can cause an out-of-bounds write beyond the response buffer because the filename length might exceed the available buffer space. This can lead to potential buffer overflows or memory corruption during the UTF-16 conversion of the filename.


How can this vulnerability impact me? :

The vulnerability can lead to buffer overflows or memory corruption in the ksmbd service of the Linux kernel. This could potentially be exploited to cause crashes, denial of service, or even arbitrary code execution depending on the context and attacker capabilities. Such impacts could compromise system stability and security.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart