CVE-2026-31432

Vulnerability

CVE-2026-31432 is an out-of-bounds (OOB) write vulnerability in the ksmbd kernel module, which implements the SMB2 protocol in the Linux kernel. The bug occurs in the smb2_get_info_sec() function when processing a compound request that includes a QUERY_INFO (Security) command. The root cause is a mismatch between the buffer space check performed using ppntsd_size (which reads the security descriptor size from extended attributes) and the actual size of the descriptor synthesized by build_sec_desc() from POSIX ACLs. The synthesized descriptor can be significantly larger, leading to a write beyond the allocated response buffer [1][2].

Exploitation

An attacker can trigger this vulnerability by sending a crafted compound SMB2 request, such as a READ followed by a QUERY_INFO (Security) command. The first command (READ) consumes most of the response buffer, leaving insufficient space for the security descriptor. When build_sec_desc() generates a descriptor larger than the remaining space, the OOB write occurs. No special privileges are required beyond the ability to send SMB2 requests to the server [1][2].

Impact

Successful exploitation results in memory corruption beyond the allocated buffer. This can lead to a denial of service (system crash) or, potentially, arbitrary code execution in the kernel context, depending on the memory layout. The CVSS v3 score of 8.8 (High) reflects the high impact on confidentiality, integrity, and availability [1][2].

Mitigation

The fix introduces smb_acl_sec_desc_sec_desc_scratch_len() to accurately compute the final descriptor size beforehand, performs proper buffer checking with smb2_calc_max_out_buf_len(), and uses exact-sized allocation with iov pinning. The patch has been applied to the stable kernel tree [1][2][3][4]. Users should update to the latest kernel version containing this commit.