CVE-2026-31712
Received Received - Intake
Buffer Out-of-Bounds Read in ksmbd SMB Server

Publication date: 2026-05-01

Last updated on: 2026-05-17

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: require minimum ACE size in smb_check_perm_dacl() Both ACE-walk loops in smb_check_perm_dacl() only guard against an under-sized remaining buffer, not against an ACE whose declared `ace->size` is smaller than the struct it claims to describe: if (offsetof(struct smb_ace, access_req) > aces_size) break; ace_size = le16_to_cpu(ace->size); if (ace_size > aces_size) break; The first check only requires the 4-byte ACE header to be in bounds; it does not require access_req (4 bytes at offset 4) to be readable. An attacker who has set a crafted DACL on a file they own can declare ace->size == 4 with aces_size == 4, pass both checks, and then granted |= le32_to_cpu(ace->access_req); /* upper loop */ compare_sids(&sid, &ace->sid); /* lower loop */ reads access_req at offset 4 (OOB by up to 4 bytes) and ace->sid at offset 8 (OOB by up to CIFS_SID_BASE_SIZE + SID_MAX_SUB_AUTHORITIES * 4 bytes). Tighten both loops to require ace_size >= offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE which is the smallest valid on-wire ACE layout (4-byte header + 4-byte access_req + 8-byte sid base with zero sub-auths). Also reject ACEs whose sid.num_subauth exceeds SID_MAX_SUB_AUTHORITIES before letting compare_sids() dereference sub_auth[] entries. parse_sec_desc() already enforces an equivalent check (lines 441-448); smb_check_perm_dacl() simply grew weaker validation over time. Reachability: authenticated SMB client with permission to set an ACL on a file. On a subsequent CREATE against that file, the kernel walks the stored DACL via smb_check_perm_dacl() and triggers the OOB read. Not pre-auth, and the OOB read is not reflected to the attacker, but KASAN reports and kernel state corruption are possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-17
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31712
EUVD
EUVD-2026-26521
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.18.25 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.2 (exc)
linux linux_kernel From 5.15 (inc) to 6.12.84 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ksmbd component, specifically in the smb_check_perm_dacl() function. The issue arises because the function does not properly validate the size of Access Control Entries (ACEs) in a Discretionary Access Control List (DACL). While it checks if the remaining buffer is large enough, it does not ensure that the declared size of an ACE is at least as large as the structure it represents.

An attacker who can set a crafted DACL on a file they own can create an ACE with a declared size smaller than the actual structure size, bypassing the checks. This leads to out-of-bounds (OOB) reads when the kernel later processes the DACL during file creation, potentially reading memory beyond the intended bounds.

The vulnerability is triggered by an authenticated SMB client with permission to set an ACL on a file. The OOB read is not reflected back to the attacker and is not pre-authentication, but it can cause kernel address sanitizer (KASAN) reports and kernel state corruption.

Impact Analysis

This vulnerability can impact you by allowing an authenticated SMB client with permission to set an ACL on a file to cause out-of-bounds memory reads in the kernel. While the attacker cannot directly exploit this to gain code execution or leak information, the OOB read can lead to kernel state corruption or trigger kernel address sanitizer (KASAN) alerts.

Kernel state corruption can cause system instability, crashes, or unpredictable behavior, potentially affecting system availability and reliability.

Detection Guidance

This vulnerability involves an out-of-bounds read triggered by a crafted DACL set by an authenticated SMB client on a file they own. Detection would involve monitoring for abnormal kernel behavior or KASAN reports indicating out-of-bounds reads related to smb_check_perm_dacl().

Since the vulnerability is triggered during a CREATE operation on a file with a malicious DACL, detection could include auditing SMB ACL changes and subsequent file CREATE operations.

However, no specific detection commands or network signatures are provided in the available information.

Mitigation Strategies

The vulnerability has been resolved by tightening validation in smb_check_perm_dacl() to require a minimum ACE size and reject malformed ACEs before dereferencing pointers.

Immediate mitigation steps include applying the updated Linux kernel patch that fixes this issue.

Additionally, restricting SMB clients' ability to set ACLs on files or limiting access to trusted users may reduce risk until the patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31712. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart