CVE-2026-31611
Description
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: require 3 sub-authorities before reading sub_auth[2]
parse_dacl() compares each ACE SID against sid_unix_NFS_mode and on match reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is the prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() compares only min(num_subauth, 2) sub-authorities so a client SID with num_subauth = 2 and sub_auth = {88, 3} will match.
If num_subauth = 2 and the ACE is placed at the very end of the security descriptor, sub_auth[2] will be 4 bytes past end_of_acl. The out-of-band bytes will then be masked to the low 9 bits and applied as the file's POSIX mode, probably not something that is good to have happen.
Fix this up by forcing the SID to actually carry a third sub-authority before reading it at all.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds read in ksmbd's DACL parsing can corrupt POSIX file modes.
Root
Cause In the Linux ksmbd server, the parse_dacl() function compares each ACE's SID against a known prefix (S-1-5-88-3) to match NFS-style special SIDs). When a match is found, the third sub-authority (sub_auth[2]) is read directly and interpreted as the file's POSIX permission bits. However, the comparison logic only checks the first two sub-authorities. If a client supplies a SID with only two sub-authorities (e.g., S-1-5-88-3 with num_subauth=2), the code still attempts to read sub_auth[2] — reading 4 bytes beyond the actual ACL data [1][2][3].
Attack
Surface An attacker must be exploited by a remote, unauthenticated client that can establish an SMB session with the ksmbd server. The attacker crafts a security descriptor containing an ACE with a specially tailored SID (having only 2 sub-authorities) and places that ACE at the very end of the descriptor. When ksmbd processes the security descriptor parsing, the out-of-bounds read occurs past the end of the ACL [Description][4].
Impact
The four out-of-bounds bytes are masked to a 9-bit value and applied as the file's POSIX mode bits. While the exact value is uncontrolled, this can arbitrarily change the permissions of files exposed via ksmbd, potentially allowing unauthorized access or privilege escalation. The attack corrupts the intended file permissions in a way that depends on the memory layout adjacent to the ACL.
Mitigation
The fix, merged into the stable kernel branches referenced by the kernel.org commits, adds a check that the SID truly has at least three sub-authorities before attempting to read sub_auth[2]. This prevents the OOB read entirely. Users should update to a kernel version that patched kernel version.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/08f9e6d899b5c834bbcc239eae1bed58d9b15d2cnvdPatch
- git.kernel.org/stable/c/46bbcd3ebfb3549c8da1838fc4493e79bd3241e7nvdPatch
- git.kernel.org/stable/c/53370cf9090777774e07fd9a8ebce67c6cc333abnvdPatch
- git.kernel.org/stable/c/9401f86a224f37b50e6a3ccf1d46a70d5ef8af0anvdPatch
- git.kernel.org/stable/c/b5b5d5936a50497fb151c0b122899a6894721c2bnvdPatch
- git.kernel.org/stable/c/d2454f4a002d08560a60f214f392e6491cf11560nvdPatch
News mentions
0No linked articles in our index yet.