High severity8.8NVD Advisory· Published May 1, 2026· Updated May 17, 2026

CVE-2026-31709

Description

In the Linux kernel, the following vulnerability has been resolved:

smb: client: validate the whole DACL before rewriting it in cifsacl

build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild the chmod/chown security descriptor.

The original fix only checked that the struct smb_acl header fits before reading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate header-field OOB read, but the rewrite helpers still walk ACEs based on pdacl->num_aces with no structural validation of the incoming DACL body.

A malicious server can return a truncated DACL that still contains a header, claims one or more ACEs, and then drive replace_sids_and_copy_aces() or set_chmod_dacl() past the validated extent while they compare or copy attacker-controlled ACEs.

Factor the DACL structural checks into validate_dacl(), extend them to validate each ACE against the DACL bounds, and use the shared validator before the chmod/chown rebuild paths. parse_dacl() reuses the same validator so the read-side parser and write-side rewrite paths agree on what constitutes a well-formed incoming DACL.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing structural validation of DACL in the Linux kernel's SMB client allows a malicious server to cause out-of-bounds read/write during chmod/chown operations.

Vulnerability

The vulnerability exists in the Linux kernel's CIFS (SMB) client, specifically in the security descriptor handling during chmod/chown operations. The functions build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and reconstruct the ACL. The original fix only validated that the struct smb_acl header fits within the buffer, but did not verify the integrity of the individual ACEs within the DACL body.

Exploitation

A malicious SMB server can craft a response with a truncated DACL that has a valid header but claims more ACEs than actually present. When the client processes a chmod or chown request, it calls replace_sids_and_copy_aces() or set_chmod_dacl(), which iterate over pdacl->num_aces without bounds checking. This allows the server to drive out-of-bounds reads or writes when comparing or copying attacker-controlled ACE data.

Impact

An attacker who controls an SMB server (or can perform a man-in-the-middle attack) can exploit this to corrupt kernel memory, potentially leading to privilege escalation or denial of service. The vulnerability is rated High with CVSS 8.8.

Mitigation

The fix, introduced in kernel commit 8e47d297e7cf, factors DACL validation into a new helper function validate_dacl(). This function now checks each ACE against the DACL bounds before the rewrite paths. The same validator is reused in parse_dacl() for consistency. Users should apply the patch from the stable kernel tree [1].

References

Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Linux/Kernelinferred2 versions
(expand)+ 1 more
- (no CPE)
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.12,<7.0.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

News mentions

Patch Tuesday - May 2026
Rapid7 Blog · May 13, 2026

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000