Skip to main content

Linux kernel ksmbd CVE-2026-31433

| EUVDEUVD-2026-24641 HIGH
2026-04-22 Linux GHSA-32xq-pcg8-hc33
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:26 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
8.8 (HIGH)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 22, 2026 - 10:01 EUVD
EUVD ID Assigned
Apr 22, 2026 - 08:30 euvd
EUVD-2026-24641
Analysis Generated
Apr 22, 2026 - 08:30 vuln.today
CVE Published
Apr 22, 2026 - 08:15 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix potencial OOB in get_file_all_info() for compound requests

When a compound request consists of QUERY_DIRECTORY + QUERY_INFO (FILE_ALL_INFORMATION) and the first command consumes nearly the entire max_trans_size, get_file_all_info() would blindly call smbConvertToUTF16() with PATH_MAX, causing out-of-bounds write beyond the response buffer. In get_file_all_info(), there was a missing validation check for the client-provided OutputBufferLength before copying the filename into FileName field of the smb2_file_all_info structure. If the filename length exceeds the available buffer space, it could lead to potential buffer overflows or memory corruption during smbConvertToUTF16 conversion. This calculating the actual free buffer size using smb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is insufficient and updating smbConvertToUTF16 to use the actual filename length (clamped by PATH_MAX) to ensure a safe copy operation.

AnalysisAI

Out-of-bounds write in Linux kernel ksmbd allows authenticated remote attackers to cause memory corruption via crafted SMB2 compound requests combining QUERY_DIRECTORY and QUERY_INFO commands. The vulnerability arises when get_file_all_info() fails to validate OutputBufferLength against available buffer space before converting filenames to UTF-16, enabling buffer overflow beyond response buffer boundaries. With CVSS 8.8 (High) and network attack vector requiring only low privileges, this presents significant risk to systems running ksmbd SMB server. Vendor patches available across multiple kernel versions (5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS exploitation probability remains low at 0.01% (2nd percentile), and no public exploit or CISA KEV listing identified at time of analysis.

Technical ContextAI

ksmbd is the in-kernel SMB3 server implementation introduced in Linux 5.15, providing native Windows file sharing capabilities. This vulnerability affects the SMB2/3 protocol handler's QUERY_INFO response path when processing FILE_ALL_INFORMATION requests. The flaw occurs during compound request handling where two sequential commands (QUERY_DIRECTORY followed by QUERY_INFO) are processed within a single transaction. When the first command consumes nearly all available max_trans_size buffer space, the second command's get_file_all_info() function attempts to write filename data using smbConvertToUTF16() with PATH_MAX (4096 bytes) without first validating remaining buffer capacity. The root cause is missing boundary validation before memory copy operations during character set conversion from local filesystem encoding to UTF-16LE required by SMB protocol. The affected CPE strings (cpe:2.3:a:linux:linux) indicate this impacts the Linux kernel package directly. Fixes implement proper buffer length calculation using smb2_calc_max_out_buf_len() and clamp filename length to actual available space before conversion.

RemediationAI

Upgrade to patched Linux kernel versions: 5.15.203+ for 5.15.x LTS branch, 6.1.168+ for 6.1.x LTS, 6.6.131+ for 6.6.x stable, 6.12.80+ for 6.12.x, 6.18.21+ for 6.18.x, 6.19.11+ for 6.19.x, or 7.0+ for mainline. Patch details available at https://git.kernel.org/stable/ with commit references listed in NVD advisory https://nvd.nist.gov/vuln/detail/CVE-2026-31433. For systems unable to immediately patch, disable ksmbd module via 'rmmod ksmbd' and 'echo "blacklist ksmbd" >> /etc/modprobe.d/blacklist.conf' to prevent module loading on reboot, then use traditional Samba (smbd) for SMB file sharing instead. Note this workaround eliminates ksmbd performance benefits and requires Samba daemon configuration. Alternatively, restrict ksmbd network exposure by configuring host firewall rules to limit SMB port access (TCP 445, 139) to trusted IP ranges only, though this does not eliminate risk from authenticated internal attackers. Verify ksmbd status with 'lsmod | grep ksmbd' and check active SMB sessions with 'ksmbd.mountd -V'. No other compensating controls provide equivalent protection without disabling the vulnerable service.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31433 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy