Skip to main content

Linux kernel ksmbd CVE-2026-31432

| EUVD-2026-24640 HIGH
Out-of-bounds Write (CWE-787)
2026-04-22 Linux GHSA-f75p-6q8j-p2f2
Buffer Overflow Linux Memory Corruption
8.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:25 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
8.8 (HIGH)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 22, 2026 - 10:01 EUVD
EUVD ID Assigned
Apr 22, 2026 - 08:30 euvd
EUVD-2026-24640
Analysis Generated
Apr 22, 2026 - 08:30 vuln.today
CVE Published
Apr 22, 2026 - 08:15 nvd
HIGH 8.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix OOB write in QUERY_INFO for compound requests

When a compound request such as READ + QUERY_INFO(Security) is received, and the first command (READ) consumes most of the response buffer, ksmbd could write beyond the allocated buffer while building a security descriptor.

The root cause was that smb2_get_info_sec() checked buffer space using ppntsd_size from xattr, while build_sec_desc() often synthesized a significantly larger descriptor from POSIX ACLs.

This patch introduces smb_acl_sec_desc_scratch_len() to accurately compute the final descriptor size beforehand, performs proper buffer checking with smb2_calc_max_out_buf_len(), and uses exact-sized allocation + iov pinning.

AnalysisAI

Out-of-bounds write in Linux kernel's ksmbd server allows authenticated remote attackers with low-privilege SMB access to corrupt memory and potentially execute arbitrary code or crash the system. The vulnerability triggers when processing compound SMB2 requests (e.g., READ + QUERY_INFO for security descriptors) where the first command consumes most of the response buffer, causing ksmbd to write beyond allocated memory when building security descriptors from POSIX ACLs. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: identify all Linux systems running ksmbd with kernel versions prior to 6.12.81, 6.18.22, 6.19.12, or 7.0 using kernel enumeration or asset inventory tools. Within 7 days: apply vendor-released patches to affected systems (kernel 6.12.81+, 6.18.22+, 6.19.12+, or 7.0+) and validate via reboot testing in non-production environments. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-47334 MEDIUM
5.5 May 28

Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect
CVE-2026-47335 MEDIUM
5.5 May 28

Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authentic
CVE-2026-47327 LOW
3.3 May 28

NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash th
CVE-2026-47337 LOW
3.3 May 28

NULL pointer dereference in Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) allows an unprivileged local
CVE-2026-45844
May 27

In the Linux kernel, the following vulnerability has been resolved: netfilter: arp_tables: fix IEEE1394 ARP payload par

Vendor StatusVendor

Share

CVE-2026-31432 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy