CVE-2026-31709
Modified Modified - Updated After Analysis
Linux Kernel SMB Client DACL Validation Flaw

Publication date: 2026-05-01

Last updated on: 2026-06-09

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL before rewriting it in cifsacl build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild the chmod/chown security descriptor. The original fix only checked that the struct smb_acl header fits before reading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate header-field OOB read, but the rewrite helpers still walk ACEs based on pdacl->num_aces with no structural validation of the incoming DACL body. A malicious server can return a truncated DACL that still contains a header, claims one or more ACEs, and then drive replace_sids_and_copy_aces() or set_chmod_dacl() past the validated extent while they compare or copy attacker-controlled ACEs. Factor the DACL structural checks into validate_dacl(), extend them to validate each ACE against the DACL bounds, and use the shared validator before the chmod/chown rebuild paths. parse_dacl() reuses the same validator so the read-side parser and write-side rewrite paths agree on what constitutes a well-formed incoming DACL.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-06-09
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31709
EUVD
EUVD-2026-26518
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel From 5.12 (inc) to 7.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's SMB client code that handles security descriptors, specifically the Discretionary Access Control List (DACL) validation. The issue arises because the code only partially validates the DACL structure received from a server before using it to rebuild security descriptors for chmod and chown operations.

Originally, the code checked only the header of the DACL to avoid out-of-bounds reads, but it did not fully validate the entire DACL body or each Access Control Entry (ACE) within it. This allowed a malicious server to send a truncated or malformed DACL that claims to have multiple ACEs but does not actually contain them fully.

Because of this incomplete validation, the code could read or copy attacker-controlled ACEs beyond the validated memory area, potentially leading to memory corruption or other unexpected behavior.

The fix involved factoring the DACL structural checks into a shared validator function that thoroughly validates the entire DACL and each ACE against the DACL bounds. This validator is used consistently in both parsing and rewriting paths to ensure only well-formed DACLs are accepted.

Impact Analysis

This vulnerability can impact you by allowing a malicious SMB server to send a specially crafted, malformed DACL that causes the Linux kernel SMB client to read or copy memory beyond the intended bounds.

Such out-of-bounds memory access can lead to memory corruption, which might be exploited to cause system crashes, denial of service, or potentially arbitrary code execution with kernel privileges.

Since this occurs in the kernel, successful exploitation could compromise the security and stability of the entire system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31709. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart