CVE-2026-31614
Description
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix off-by-8 bounds check in check_wsl_eas()
The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but ea_data sits at offset sizeof(struct smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp() later reads ea->ea_data[0..nlen-1] and the value bytes follow at ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1 + vlen. Isn't pointer math fun?
The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the 8-byte header is in bounds, but since the last EA is placed within 8 bytes of the end of the response, the name and value bytes are read past the end of iov.
Fix this mess all up by using ea->ea_data as the base for the bounds check.
An "untrusted" server can use this to leak up to 8 bytes of kernel heap into the EA name comparison and influence which WSL xattr the data is interpreted as.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Off-by-8 bounds check in Linux kernel's check_wsl_eas() allows untrusted SMB servers to leak up to 8 bytes of kernel heap memory and influence WSL xattr interpretation.
Vulnerability
An off-by-8 bounds check error exists in the Linux kernel's SMB client, specifically in the check_wsl_eas() function. The bounds check incorrectly uses the start of the EA struct (ea), which is 8 bytes before the actual ea_data field, as the base for the end-of-buffer calculation. This allows an out-of-bounds read of up to 8 bytes past the end of the iov buffer when a server places the last EA entry within 8 bytes of the response end [1][2][3][4].
Exploitation
An untrusted SMB server can exploit this by crafting a malicious response that positions the final EA entry such that the EA name and value bytes are read beyond the allocated buffer. No authentication beyond connecting to the server is required [1][2][3][4].
Impact
The out-of-bounds read can leak up to 8 bytes of kernel heap memory, which may influence the EA name comparison and thereby affect which WSL (Windows Subsystem for Linux) extended attribute the data is interpreted as. This could lead to information disclosure or manipulation of WSL xattr data, depending on server-controlled content [1][2][3][4].
Mitigation
The fix corrects the bounds check to use ea->ea_data as the base, preventing the off-by-8 error. Patches are available in the Linux kernel stable tree (references [1]-[4]). Users should apply the latest kernel updates to mitigate this vulnerability.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/3d8b9d06bd3ac4c6846f5498800b0f5f8062e53bnvdPatch
- git.kernel.org/stable/c/5cc0574c84aa73946ade587c41e81757b8b01cb5nvdPatch
- git.kernel.org/stable/c/a893f1757d9a4009e4a8d7ceb2312142fe29cea4nvdPatch
- git.kernel.org/stable/c/b2b76d09a64c538c57006180103fc1841e8cfa66nvdPatch
- git.kernel.org/stable/c/ba3ad159aa61810bbe0acaf39578b1ebfb6f1a18nvdPatch
- git.kernel.org/stable/c/bfbc74df8bbe095b3ed68f6d4487b368af087890nvdPatch
News mentions
0No linked articles in our index yet.