CVE-2026-31432
Published: Apr 22, 2026
Modified: May 23, 2026
CVSS v3.1
8.8
Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix OOB write in QUERY_INFO for compound requests When a compound request such as READ + QUERY_INFO(Security) is received, and the first command (READ) consumes most of the response buffer, ksmbd could write beyond the allocated buffer while building a security descriptor. The root cause was that smb2_get_info_sec() checked buffer space using ppntsd_size from xattr, while build_sec_desc() often synthesized a significantly larger descriptor from POSIX ACLs. This patch introduces smb_acl_sec_desc_scratch_len() to accurately compute the final descriptor size beforehand, performs proper buffer checking with smb2_calc_max_out_buf_len(), and uses exact-sized allocation + iov pinning.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d - < d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09affected e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d - < 075ea208c648cc2bcd616295b711d3637c61de45affected e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d - < 515c2daab46021221bdf406bef19bc90a44ec617affected e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d - < fda9522ed6afaec45cabc198d8492270c394c7bcaffected f2283680a80571ca82d710bc6ecd8f8beac67d63+3 more versions |
Linux | Linux | affected 6.6unaffected 0 - < 6.6unaffected 6.12.81 - <= 6.12.*unaffected 6.18.22 - <= 6.18.*unaffected 6.19.12 - <= 6.19.*+1 more versions |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now