CVE-2026-31478
Incorrect Buffer Length Calculation in Linux Kernel ksmbd Component
Publication date: 2026-04-22
Last updated on: 2026-04-27
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.6 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.13 (inc) to 6.18.21 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.11 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.80 (exc) |
| linux | linux_kernel | From 5.15.145 (inc) to 5.15.203 (exc) |
| linux | linux_kernel | From 6.1.71 (inc) to 6.1.168 (exc) |
| linux | linux_kernel | From 6.6.1 (inc) to 6.6.131 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability relates to the Linux kernel's ksmbd component, specifically in the smb2_calc_max_out_buf_len() function. After a code change introduced support for read compound operations, the way response buffers were managed was altered to use a dynamic iov array. However, the function smb2_calc_max_out_buf_len() was still using a hardcoded value for hdr2_len, which should instead be the offset of the Buffer field within the response structure. This mismatch could lead to incorrect buffer length calculations. The vulnerability was fixed by replacing the hardcoded hdr2_len with the correct offsetof() value.
How can this vulnerability impact me? :
This vulnerability relates to incorrect handling of the response buffer length in the ksmbd component of the Linux kernel. If exploited, it could potentially lead to improper buffer management, which might cause unexpected behavior such as crashes or memory corruption.