CVE-2026-31433

Vulnerability

Description

The vulnerability resides in the get_file_all_info() function of the Linux kernel's ksmbd (SMB/CIFS) server. When processing a compound SMB2 request that consists of a QUERY_DIRECTORY command followed by a QUERY_INFO command for FILE_ALL_INFORMATION, the server fails to validate the client-provided OutputBufferLength before copying the filename into the FileName field of the smb2_file_all_info structure. If the first command consumes nearly the entire max_trans_size, the remaining buffer space is insufficient, yet smbConvertToUTF16() is called with PATH_MAX as the length, leading to an out-of-bounds write beyond the response buffer [1][2].

Exploitation

Prerequisites

An attacker must have valid SMB credentials and be able to send crafted compound SMB2 requests to the ksmbd server. The attack requires no special network position beyond access to the SMB share. The bug is triggered when the QUERY_DIRECTORY command uses almost all of the negotiated max_trans_size, leaving inadequate space for the subsequent QUERY_INFO response. The missing check on OutputBufferLength allows the filename copy to exceed the allocated buffer [3].

Impact

Successful exploitation results in memory corruption within the kernel context. This can lead to a denial of service (system crash) or, potentially, arbitrary code execution with kernel privileges. The CVSS v3 score of 8.8 (High) reflects the high impact on confidentiality, integrity, and availability, given the low complexity and network-based attack vector [4].

Mitigation

The fix introduces a validation step using smb2_calc_max_out_buf_len() to compute the actual free buffer size and returns -EINVAL if the buffer is insufficient. Additionally, smbConvertToUTF16() now uses the actual filename length (clamped by PATH_MAX) to ensure a safe copy. Patches have been applied to multiple stable kernel branches; users should update to the latest patched version immediately [1][2][3][4].