CVE-2026-31478
Description
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()
After this commit (e2b76ab8b5c9 "ksmbd: add support for read compound"), response buffer management was changed to use dynamic iov array. In the new design, smb2_calc_max_out_buf_len() expects the second argument (hdr2_len) to be the offset of ->Buffer field in the response structure, not a hardcoded magic number. Fix the remaining call sites to use the correct offsetof() value.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A critical vulnerability in Linux kernel's ksmbd SMB server uses hardcoded header lengths instead of offsetof(), potentially leading to buffer overflow and remote code execution.
The vulnerability resides in the ksmbd kernel module, which implements an SMB server. After commit e2b76ab8b5c9 introduced dynamic iov array management for response buffers, the function smb2_calc_max_out_buf_len() was updated to expect the offset of the Buffer field in the response structure as its second argument. However, several call sites continued to pass hardcoded header length values instead of the correct offsetof() value [1]. This discrepancy leads to incorrect buffer size calculations.
An unauthenticated remote attacker can exploit this by sending specially crafted SMB2 compound requests. The miscalculated buffer size can cause the kernel to write beyond the allocated buffer, resulting in a heap-based buffer overflow. No authentication is required, and the attack can be launched over the network.
Successful exploitation could allow an attacker to execute arbitrary code in the context of the kernel, leading to full system compromise. Given the critical CVSS score of 9.8, this vulnerability poses a severe risk to systems running the affected ksmbd versions.
The Linux kernel stable tree has released patches that replace the hardcoded values with the correct offsetof() calls [1][2][3][4]. Users are strongly advised to update their kernels to the latest stable release. No workaround is available; updating is the only mitigation.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.15.145,<5.15.203
- cpe:2.3:o:linux:linux_kernel:6.6:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/0e55f63dd08f09651d39e1b709a91705a8a0ddcbnvdPatch
- git.kernel.org/stable/c/4cb537ae4f37d7d0f617815ed4bed7173fb50861nvdPatch
- git.kernel.org/stable/c/6aef1765d6807e0f027cd87f6ac973eb0879a46dnvdPatch
- git.kernel.org/stable/c/70b4c414889492c522b6e4331562360f49be2361nvdPatch
- git.kernel.org/stable/c/80824c7e527b70cf9039534e60aff592e8f209d1nvdPatch
- git.kernel.org/stable/c/9a7166f0ef8cbb7bb48dd05e2471d995566003f5nvdPatch
- git.kernel.org/stable/c/c3a89e3ec1ccf64fa6a34e391e1581ebbcba8683nvdPatch
News mentions
0No linked articles in our index yet.