{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31432", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.089Z", "datePublished": "2026-04-22T08:15:10.873Z", "dateUpdated": "2026-04-22T08:15:10.873Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T08:15:10.873Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix OOB write in QUERY_INFO for compound requests\n\nWhen a compound request such as READ + QUERY_INFO(Security) is received,\nand the first command (READ) consumes most of the response buffer,\nksmbd could write beyond the allocated buffer while building a security\ndescriptor.\n\nThe root cause was that smb2_get_info_sec() checked buffer space using\nppntsd_size from xattr, while build_sec_desc() often synthesized a\nsignificantly larger descriptor from POSIX ACLs.\n\nThis patch introduces smb_acl_sec_desc_scratch_len() to accurately\ncompute the final descriptor size beforehand, performs proper buffer\nchecking with smb2_calc_max_out_buf_len(), and uses exact-sized\nallocation + iov pinning."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/smb2pdu.c", "fs/smb/server/smbacl.c", "fs/smb/server/smbacl.h"], "versions": [{"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d", "lessThan": "d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09", "status": "affected", "versionType": "git"}, {"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d", "lessThan": "075ea208c648cc2bcd616295b711d3637c61de45", "status": "affected", "versionType": "git"}, {"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d", "lessThan": "515c2daab46021221bdf406bef19bc90a44ec617", "status": "affected", "versionType": "git"}, {"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d", "lessThan": "fda9522ed6afaec45cabc198d8492270c394c7bc", "status": "affected", "versionType": "git"}, {"version": "f2283680a80571ca82d710bc6ecd8f8beac67d63", "status": "affected", "versionType": "git"}, {"version": "9f297df20d93411c0b4ddad7f88ba04a7cd36e77", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/smb2pdu.c", "fs/smb/server/smbacl.c", "fs/smb/server/smbacl.h"], "versions": [{"version": "6.6", "status": "affected"}, {"version": "0", "lessThan": "6.6", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.81", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.22", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.12", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.12.81"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.18.22"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.19.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.145"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.71"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09"}, {"url": "https://git.kernel.org/stable/c/075ea208c648cc2bcd616295b711d3637c61de45"}, {"url": "https://git.kernel.org/stable/c/515c2daab46021221bdf406bef19bc90a44ec617"}, {"url": "https://git.kernel.org/stable/c/fda9522ed6afaec45cabc198d8492270c394c7bc"}], "title": "ksmbd: fix OOB write in QUERY_INFO for compound requests", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix OOB write in QUERY_INFO for compound requests\n\nWhen a compound request such as READ + QUERY_INFO(Security) is received,\nand the first command (READ) consumes most of the response buffer,\nksmbd could write beyond the allocated buffer while building a security\ndescriptor.\n\nThe root cause was that smb2_get_info_sec() checked buffer space using\nppntsd_size from xattr, while build_sec_desc() often synthesized a\nsignificantly larger descriptor from POSIX ACLs.\n\nThis patch introduces smb_acl_sec_desc_scratch_len() to accurately\ncompute the final descriptor size beforehand, performs proper buffer\nchecking with smb2_calc_max_out_buf_len(), and uses exact-sized\nallocation + iov pinning."}], "id": "CVE-2026-31432", "lastModified": "2026-04-22T09:16:21.410", "metrics": {}, "published": "2026-04-22T09:16:21.410", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/075ea208c648cc2bcd616295b711d3637c61de45"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/515c2daab46021221bdf406bef19bc90a44ec617"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fda9522ed6afaec45cabc198d8492270c394c7bc"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d,d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d,075ea208c648cc2bcd616295b711d3637c61de45)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d,515c2daab46021221bdf406bef19bc90a44ec617)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d,fda9522ed6afaec45cabc198d8492270c394c7bc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "f2283680a80571ca82d710bc6ecd8f8beac67d63"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "9f297df20d93411c0b4ddad7f88ba04a7cd36e77"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.6"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.6)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.81,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.22,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.12,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T09:50:59.425346+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the ksmbd out\u2011of\u2011bounds write fix (the patch commit addresses the buffer size error).", "If an immediate kernel upgrade is not feasible, block or restrict SMB traffic from untrusted networks using firewall rules and deny SMB connections from unknown hosts.", "If ksmbd is not required for business operations, disable the service or replace it with a non\u2011kernel SMB implementation that does not expose the vulnerable path."], "summary": {"action": "Apply Patch", "impact": "Out-of-bounds write in kernel SMB daemon leading to potential memory corruption and privilege escalation"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include the ksmbd SMB daemon and have not incorporated the patch from commit 075ea208c648cc2bcd616295b711d3637c61de45. Systems running SMB services via ksmbd with exposed interfaces to untrusted clients are affected.", "description_and_impact": "A compound SMB request that performs a READ followed by a QUERY_INFO(Security) operation triggers a buffer overrun in the Linux ksmbd service. During this operation the kernel incorrectly calculates the size of the security descriptor and writes beyond the allocated buffer, creating a memory corruption condition. This flaw can be leveraged by an attacker to corrupt kernel memory, potentially escalating privileges to root. The vulnerability is rooted in an inaccurate buffer size check and improper allocation logic for synthesizing POSIX ACL descriptors.", "risk_and_exploitability": "The flaw can be exploited remotely over SMB traffic, allowing an attacker to overwrite kernel memory. No EPSS score or KEV listing is available, so public exploitation data is limited, but the presence of an out-of-bounds write in kernel space inherently represents a high severity risk. Attackers would need to deliver a crafted SMB compound request to a vulnerable host."}}}}, "created": "2026-04-22T09:30:13.308109+00:00", "updated": "2026-04-22T10:00:10.248880+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-787"]}