Out-of-Bounds Write Vulnerability in Linux Kernel ksmbd affecting Security Descriptor Handling
CVE-2026-31432
What is CVE-2026-31432?
A significant vulnerability has been identified in the Linux kernel's ksmbd component, where an out-of-bounds write could occur in the QUERY_INFO function when processing compound requests. Specifically, if a compound request such as READ plus QUERY_INFO(Security) is made and the READ command consumes most of the designated response buffer, ksmbd may inadvertently write outside the allocated buffer while attempting to build a security descriptor. The root cause arises from incorrect buffer size verification in the function smb2_get_info_sec(), leading to larger than expected security descriptors derived from POSIX ACLs. A recent patch has addressed this issue by implementing revised calculations to ascertain the required descriptor size and ensuring adequate buffer checks and exact-size memory allocations.
Affected Version(s)
Linux e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d
Linux e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d < 075ea208c648cc2bcd616295b711d3637c61de45
Linux e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d < 515c2daab46021221bdf406bef19bc90a44ec617