High severity7.5NVD Advisory· Published Apr 24, 2026· Updated Apr 29, 2026

CVE-2026-31612

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: validate EaNameLength in smb2_get_ea()

smb2_get_ea() reads ea_req->EaNameLength from the client request and passes it directly to strncmp() as the comparison length without verifying that the length of the name really is the size of the input buffer received.

Fix this up by properly checking the size of the name based on the value received and the overall size of the request, to prevent a later strncmp() call to use the length as a "trusted" size of the buffer. Without this check, uninitialized heap values might be slowly leaked to the client.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's ksmbd, a missing validation of EaNameLength in smb2_get_ea() could allow an attacker to leak uninitialized heap data via strncmp() without proper bounds checking.

The vulnerability resides in the ksmbd SMB server implementation of the Linux kernel. The function smb2_get_ea() reads the EaNameLength field from an SMB2 extended attribute request without verifying that the value corresponds to the actual size of the received buffer. This unchecked length is then used as the comparison limit in a strncmp() call, leading to out-of-bounds reads from heap memory [1][2].

An attacker can exploit this by sending a crafted SMB2 request with a manipulated EaNameLength field. No prior authentication is required if the server allows guest access. The attack is network-based and only requires the ability to send SMB packets to the target system [3][4].

Successful exploitation results in the leakage of uninitialized heap data, which may contain sensitive information from other kernel or user-space processes. This information disclosure could facilitate further attacks against the system. The vulnerability is rated High with a CVSS v3 score of 7.5 [1].

The issue is fixed in the Linux kernel by adding proper validation of EaNameLength against the actual buffer size. Patches have been backported to stable kernel releases. Administrators are advised to apply the latest updates to mitigate the risk [1][2][3][4].

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Linux/Kernel
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Range: >=5.15,<6.6.136
Linux/Linux Kernel Rtllm-fuzzy
Linux/ksmbdllm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.5/ 10

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: None
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

Probability of exploitation in the next 30 days.

0.05%

VYPR risk score

Composite of severity, exploitation, and reach.

0.49medium

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

No CWEs mapped.

CVE ID

CVE-2026-31612