CVE-2026-31705
Description
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
smb2_get_ea() applies 4-byte alignment padding via memset() after writing each EA entry. The bounds check on buf_free_len is performed before the value memcpy, but the alignment memset fires unconditionally afterward with no check on remaining space.
When the EA value exactly fills the remaining buffer (buf_free_len == 0 after value subtraction), the alignment memset writes 1-3 NUL bytes past the buf_free_len boundary. In compound requests where the response buffer is shared across commands, the first command (e.g., READ) can consume most of the buffer, leaving a tight remainder for the QUERY_INFO EA response. The alignment memset then overwrites past the physical kvmalloc allocation into adjacent kernel heap memory.
Add a bounds check before the alignment memset to ensure buf_free_len can accommodate the padding bytes.
This is the same bug pattern fixed by commit beef2634f81f ("ksmbd: fix potencial OOB in get_file_all_info() for compound requests") and commit fda9522ed6af ("ksmbd: fix OOB write in QUERY_INFO for compound requests"), both of which added bounds checks before unconditional writes in QUERY_INFO response handlers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
9- osv-coords7 versionspkg:apk/chainguard/linux-aws-6.18pkg:apk/chainguard/linux-azure-6.18pkg:apk/chainguard/linux-gcp-6.18pkg:apk/chainguard/linux-qemu-6.18pkg:apk/chainguard/linux-qemu-rcpkg:apk/chainguard/linux-vmware-6.18pkg:rpm/opensuse/kernel-source&distro=openSUSE%20Tumbleweed
< 6.18.31-r0+ 6 more
- (no CPE)range: < 6.18.31-r0
- (no CPE)range: < 6.18.31-r0
- (no CPE)range: < 6.18.31-r0
- (no CPE)range: < 6.18.24-r3
- (no CPE)range: < 7.1_rc3-r0
- (no CPE)range: < 6.18.31-r0
- (no CPE)range: < 7.0.7-1.1
Patches
Vulnerability mechanics
References
6- git.kernel.org/stable/c/30010c952077a1c89ecdd71fc4d574c75a8f5617nvdPatch
- git.kernel.org/stable/c/790304c02bf9bd7b8171feda4294d6e62d32ae8fnvdPatch
- git.kernel.org/stable/c/922d48fe8c19f388ffa2f709f33acaae4e408de2nvdPatch
- git.kernel.org/stable/c/98f3de6ef4efbd899348d333f0902dc4ff14380cnvdPatch
- git.kernel.org/stable/c/ffbce350c6fd1e99116ea57383b9031717e36d3bnvdPatch
- git.kernel.org/stable/c/ddbbc8b2a09dd2cfed90871313e3691ae1db08a2nvd
News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026