Skip to main content

Linux Kernel ksmbd CVE-2026-31611

| EUVDEUVD-2026-25504 HIGH
2026-04-24 Linux GHSA-5q38-6rwh-6r7q
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 29, 2026 - 17:07 vuln.today
cvss_changed
Patch released
Apr 29, 2026 - 16:56 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:35 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
8.6 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25504
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
HIGH 8.6

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: require 3 sub-authorities before reading sub_auth[2]

parse_dacl() compares each ACE SID against sid_unix_NFS_mode and on match reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is the prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() compares only min(num_subauth, 2) sub-authorities so a client SID with num_subauth = 2 and sub_auth = {88, 3} will match.

If num_subauth = 2 and the ACE is placed at the very end of the security descriptor, sub_auth[2] will be 4 bytes past end_of_acl. The out-of-band bytes will then be masked to the low 9 bits and applied as the file's POSIX mode, probably not something that is good to have happen.

Fix this up by forcing the SID to actually carry a third sub-authority before reading it at all.

AnalysisAI

Out-of-bounds read in Linux kernel's ksmbd SMB server allows remote unauthenticated attackers to manipulate file permissions by crafting malicious ACE SIDs with insufficient sub-authorities, triggering parse_dacl() to read 4 bytes past the ACL buffer boundary and apply those arbitrary bytes as POSIX file mode bits. EPSS exploitation probability is very low (0.02%, 5th percentile) with no public exploit identified at time of analysis. Vendor-released patches available across stable kernel branches (6.12.83, 6.18.24, 6.19.14, 7.0.1).

Technical ContextAI

The vulnerability affects ksmbd, the in-kernel SMB server implementation introduced in Linux 5.15. The parse_dacl() function processes Windows-style Access Control Entries (ACEs) in SMB file security descriptors and performs special handling for NFS mode SIDs (prefix S-1-5-88-3). The compare_sids() function uses min(num_subauth, expected_count) when comparing SID sub-authorities, creating a type confusion: a client can send a SID with only 2 sub-authorities matching the NFS mode prefix, pass validation, but then have parse_dacl() unconditionally read sub_auth[2] - an index that doesn't exist in the client-controlled data. When this crafted ACE is positioned at the end of the security descriptor, sub_auth[2] reads 4 bytes beyond end_of_acl into adjacent kernel memory. These out-of-bounds bytes are then masked to 9 bits and applied as the file's POSIX permission mode (rwxrwxrwx), allowing attackers to set arbitrary permissions based on whatever happens to be in kernel memory at that offset. This combines improper input validation (CWE-20 class) with an out-of-bounds read (CWE-125 class). The affected CPE strings indicate the vulnerability spans a wide range of kernel versions from the initial ksmbd commit (1da177e4c3f4) through early 2026 stable releases.

RemediationAI

Upgrade to patched Linux kernel stable releases: 6.12.83, 6.18.24, 6.19.14, or 7.0.1 depending on your kernel branch. Patch commit references available at https://git.kernel.org/stable/c/08f9e6d899b5c834bbcc239eae1bed58d9b15d2c (6.12 branch), https://git.kernel.org/stable/c/d2454f4a002d08560a60f214f392e6491cf11560 (6.18 branch), https://git.kernel.org/stable/c/46bbcd3ebfb3549c8da1838fc4493e79bd3241e7 (6.19 branch), and https://git.kernel.org/stable/c/9401f86a224f37b50e6a3ccf1d46a70d5ef8af0a (7.0 branch). If immediate patching is not feasible, disable the ksmbd kernel module with 'rmmod ksmbd' and add 'blacklist ksmbd' to /etc/modprobe.d/blacklist.conf to prevent automatic loading - this eliminates attack surface entirely but removes SMB server functionality, requiring migration to userspace Samba if SMB file sharing is needed (operational impact includes potential performance differences and configuration migration effort). Restrict network access to SMB ports (TCP 445, 139) using firewall rules if ksmbd must remain enabled during patch deployment window, though this only reduces exposure to trusted networks rather than eliminating the vulnerability. Verify ksmbd is actually running with 'lsmod | grep ksmbd' before applying mitigations, as most Linux systems do not enable ksmbd by default.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31611 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy