CVE-2026-31704

KSMBD, the kernel-mode SMB server in Linux, contained a vulnerability in its ACL handling logic. The functions set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulated the size of DACL entries into a u16 variable. When a file has many POSIX ACL entries, the total size could exceed 65535 bytes, causing an integer overflow that wraps the accumulated size to a small value. This overflow leads to incorrect pointer arithmetic and memory corruption during ACL construction [1].

The bug can be triggered by a remote SMB client that creates a file with an excessive number of POSIX ACL entries. No special privileges aside from SMB file-write access are required to reach the vulnerable code path. The attacker must craft a file whose ACL entry count causes the sum of ACE sizes to overflow a u16 [1].

Upon exploitation, the corrupted DACL causes the pndacl->size field to contain a truncated value, and subsequent writes within the ACL buffer can overwrite earlier ACE entries. This could lead to memory corruption, potentially enabling denial of service or other undefined behavior. The CVSS v3 base score is 5. 5.5 (Medium) reflects the local/authenticated attack surface and impact [1].

The fix introduces calls to check_add_overflow() at each accumulation point to detect the overflow before it corrupts the buffer, consistent with existing check_mul_overflow() usage elsewhere in smbacl.c. The advisory does not mention that the patch has been applied to the stable kernel tree; users are advised to update their kernels to incorporate the commit [1][2][3][4].