CVE-2026-31706
Received Received - Intake
Heap-based Buffer Overflow in ksmbd Linux Kernel

Publication date: 2026-05-01

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl() smb_inherit_dacl() trusts the on-disk num_aces value from the parent directory's DACL xattr and uses it to size a heap allocation: aces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2, ...); num_aces is a u16 read from le16_to_cpu(parent_pdacl->num_aces) without checking that it is consistent with the declared pdacl_size. An authenticated client whose parent directory's security.NTACL is tampered (e.g. via offline xattr corruption or a concurrent path that bypasses parse_dacl()) can present num_aces = 65535 with minimal actual ACE data. This causes a ~8 MB allocation (not kzalloc, so uninitialized) that the subsequent loop only partially populates, and may also overflow the three-way size_t multiply on 32-bit kernels. Additionally, the ACE walk loop uses the weaker offsetof(struct smb_ace, access_req) minimum size check rather than the minimum valid on-wire ACE size, and does not reject ACEs whose declared size is below the minimum. Reproduced on UML + KASAN + LOCKDEP against the real ksmbd code path. A legitimate mount.cifs client creates a parent directory over SMB (ksmbd writes a valid security.NTACL xattr), then the NTACL blob on the backing filesystem is rewritten to set num_aces = 0xFFFF while keeping the posix_acl_hash bytes intact so ksmbd_vfs_get_sd_xattr()'s hash check still passes. A subsequent SMB2 CREATE of a child under that parent drives smb2_open() into smb_inherit_dacl() (share has "vfs objects = acl_xattr" set), which fails the page allocator: WARNING: mm/page_alloc.c:5226 at __alloc_frozen_pages_noprof+0x46c/0x9c0 Workqueue: ksmbd-io handle_ksmbd_work __alloc_frozen_pages_noprof+0x46c/0x9c0 ___kmalloc_large_node+0x68/0x130 __kmalloc_large_node_noprof+0x24/0x70 __kmalloc_noprof+0x4c9/0x690 smb_inherit_dacl+0x394/0x2430 smb2_open+0x595d/0xabe0 handle_ksmbd_work+0x3d3/0x1140 With the patch applied the added guard rejects the tampered value with -EINVAL before any large allocation runs, smb2_open() falls back to smb2_create_sd_buffer(), and the child is created with a default SD. No warning, no splat. Fix by: 1. Validating num_aces against pdacl_size using the same formula applied in parse_dacl(). 2. Replacing the raw kmalloc(sizeof * num_aces * 2) with kmalloc_array(num_aces * 2, sizeof(...)) for overflow-safe allocation. 3. Tightening the per-ACE loop guard to require the minimum valid ACE size (offsetof(smb_ace, sid) + CIFS_SID_BASE_SIZE) and rejecting under-sized ACEs, matching the hardening in smb_check_perm_dacl() and parse_dacl(). v1 -> v2: - Replace the synthetic test-module splat in the changelog with a real-path UML + KASAN reproduction driven through mount.cifs and SMB2 CREATE; Namjae flagged the kcifs3_test_inherit_dacl_old name in v1 since it does not exist in ksmbd. - Drop the commit-hash citation from the code comment per Namjae's review; keep the parse_dacl() pointer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31706
EUVD
EUVD-2026-26515
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.18.25 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.2 (exc)
linux linux_kernel From 5.15 (inc) to 6.12.84 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the ksmbd component of the Linux kernel handling SMB ACLs, specifically related to the num_aces value in the security.NTACL extended attribute of directories. Detection involves identifying tampered or corrupted NTACL xattrs where num_aces is set to an abnormally high value (e.g., 65535) inconsistent with the actual ACL data size.

One way to detect this on your system is to inspect the security.NTACL extended attributes on SMB-shared directories for suspicious num_aces values or inconsistencies.

Since the vulnerability manifests as large kmalloc allocations and kernel warnings during SMB2 CREATE operations, monitoring kernel logs for warnings related to __alloc_frozen_pages_noprof or kmalloc failures in smb_inherit_dacl() can also help detect exploitation attempts.

There are no specific commands provided in the context, but general approaches include:

  • Use getfattr or similar tools to read the security.NTACL xattr on directories shared via SMB to check for abnormal num_aces values.
  • Monitor kernel logs (e.g., via dmesg or journalctl) for warnings or errors related to ksmbd, smb_inherit_dacl, or large memory allocations failing.
  • Audit SMB2 CREATE operations on the server to detect failures or anomalies that may indicate attempts to trigger this vulnerability.

Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's ksmbd component, specifically in the smb_inherit_dacl() function. The function trusts the num_aces value from a parent directory's DACL extended attribute without properly validating it against the actual size of the DACL data. An attacker who is authenticated and can tamper with the parent directory's security.NTACL attribute can set num_aces to a very large value (65535), causing the kernel to allocate a large amount of memory (~8 MB) without initialization and potentially leading to memory corruption or overflow on 32-bit systems.

The vulnerability arises because the code uses num_aces to size a heap allocation and then partially populates it, which can cause out-of-bounds memory access. Additionally, the code uses a weak size check for each ACE entry, allowing under-sized ACEs to be processed.

The fix involves validating num_aces against the actual DACL size, using safer memory allocation functions to prevent overflow, and tightening the checks on each ACE entry to reject invalid sizes.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an authenticated attacker to cause a denial of service (DoS) through excessive memory allocation and potential memory corruption in the Linux kernel's ksmbd service. This can lead to system instability or crashes.

On 32-bit systems, the vulnerability may also cause integer overflow during memory allocation size calculations, potentially leading to security issues such as buffer overflows.

Because the vulnerability involves tampering with security attributes and memory handling in the kernel, it could also be leveraged as part of a more complex attack chain, although the primary impact described is resource exhaustion and instability.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, apply the patch that validates the num_aces value against the pdacl_size to prevent large, unsafe heap allocations.

The patch includes replacing the raw kmalloc call with kmalloc_array for overflow-safe allocation and tightening the ACE walk loop to reject under-sized ACEs.

With the patch applied, tampered num_aces values are rejected early with an error, preventing large memory allocations and potential crashes.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart