Skip to main content

Linux kernel ksmbd CVE-2026-31432

| EUVDEUVD-2026-24640 HIGH
Out-of-bounds Write (CWE-787)
2026-04-22 Linux GHSA-f75p-6q8j-p2f2
8.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:25 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
8.8 (HIGH)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 22, 2026 - 10:01 EUVD
EUVD ID Assigned
Apr 22, 2026 - 08:30 euvd
EUVD-2026-24640
Analysis Generated
Apr 22, 2026 - 08:30 vuln.today
CVE Published
Apr 22, 2026 - 08:15 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix OOB write in QUERY_INFO for compound requests

When a compound request such as READ + QUERY_INFO(Security) is received, and the first command (READ) consumes most of the response buffer, ksmbd could write beyond the allocated buffer while building a security descriptor.

The root cause was that smb2_get_info_sec() checked buffer space using ppntsd_size from xattr, while build_sec_desc() often synthesized a significantly larger descriptor from POSIX ACLs.

This patch introduces smb_acl_sec_desc_scratch_len() to accurately compute the final descriptor size beforehand, performs proper buffer checking with smb2_calc_max_out_buf_len(), and uses exact-sized allocation + iov pinning.

AnalysisAI

Out-of-bounds write in Linux kernel's ksmbd server allows authenticated remote attackers with low-privilege SMB access to corrupt memory and potentially execute arbitrary code or crash the system. The vulnerability triggers when processing compound SMB2 requests (e.g., READ + QUERY_INFO for security descriptors) where the first command consumes most of the response buffer, causing ksmbd to write beyond allocated memory when building security descriptors from POSIX ACLs. Vendor patches are available for kernel versions 6.12.81, 6.18.22, 6.19.12, and 7.0. EPSS score of 0.01% suggests low observed exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

This vulnerability affects ksmbd, the in-kernel SMB server implementation introduced in Linux 5.15. The flaw resides in the SMB2 QUERY_INFO handler for security descriptors (smb2_get_info_sec function). When processing compound SMB2 requests, ksmbd allocates a response buffer shared across multiple commands. The vulnerability occurs because smb2_get_info_sec() validated available buffer space against the xattr-stored security descriptor size (ppntsd_size), but build_sec_desc() dynamically synthesizes Windows-style security descriptors from POSIX ACLs, often producing structures significantly larger than the xattr size. This size miscalculation leads to an out-of-bounds write when the synthesized descriptor exceeds remaining buffer space. The patch introduces smb_acl_sec_desc_scratch_len() to pre-calculate exact descriptor sizes, validates buffer availability using smb2_calc_max_out_buf_len(), and implements precise memory allocation with iov pinning to prevent buffer overflows.

RemediationAI

Upgrade Linux kernel to patched versions: 6.12.81, 6.18.22, 6.19.12, or 7.0 or later, depending on your kernel branch. Patches are available from the kernel stable trees at https://git.kernel.org/stable/c/d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09, https://git.kernel.org/stable/c/075ea208c648cc2bcd616295b711d3637c61de45, https://git.kernel.org/stable/c/515c2daab46021221bdf406bef19bc90a44ec617, and https://git.kernel.org/stable/c/fda9522ed6afaec45cabc198d8492270c394c7bc. If immediate patching is not feasible, implement compensating controls: disable ksmbd module entirely if not required (unload ksmbd.ko, blacklist in modprobe.d) and use Samba for SMB file sharing instead, which eliminates exposure with no functional loss for most deployments. Alternatively, restrict SMB access to ksmbd services using firewall rules (block ports 445/139) to trusted networks only, though this does not prevent exploitation by authenticated attackers within the trust boundary. If ksmbd must remain enabled pre-patch, audit and minimize user privileges for SMB accounts, implement strict network segmentation, and enable kernel exploit mitigations (KASLR, SMEP, SMAP) if not already active. Note that disabling ksmbd requires service restart and may interrupt active SMB sessions; restricting network access may impact legitimate remote file access workflows.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31432 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy