Skip to main content

Linux Kernel CVE-2026-31613

| EUVDEUVD-2026-25506 HIGH
Out-of-bounds Read (CWE-125)
2026-04-24 Linux GHSA-3w37-m4pg-q585
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 28, 2026 - 15:22 vuln.today
cvss_changed
Patch released
Apr 28, 2026 - 15:13 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:36 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
8.1 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25506
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
HIGH 8.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix OOB reads parsing symlink error response

When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message() returns success without any length validation, leaving the symlink parsers as the only defense against an untrusted server.

symlink_data() walks SMB 3.1.1 error contexts with the loop test "p < end", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset

  1. When the server-controlled ErrorDataLength advances p to within 1-7

bytes of end, the next iteration will read past it. When the matching context is found, sym->SymLinkErrorTag is read at offset 4 from p->ErrorContextData with no check that the symlink header itself fits.

smb2_parse_symlink_response() then bounds-checks the substitute name using SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from iov_base. That value is computed as sizeof(smb2_err_rsp) + sizeof(smb2_symlink_err_rsp), which is correct only when ErrorContextCount == 0.

With at least one error context the symlink data sits 8 bytes deeper, and each skipped non-matching context shifts it further by 8 + ALIGN(ErrorDataLength, 8). The check is too short, allowing the substitute name read to run past iov_len. The out-of-bound heap bytes are UTF-16-decoded into the symlink target and returned to userspace via readlink(2).

Fix this all up by making the loops test require the full context header to fit, rejecting sym if its header runs past end, and bound the substitute name against the actual position of sym->PathBuffer rather than a fixed offset.

Because sub_offs and sub_len are 16bits, the pointer math will not overflow here with the new greater-than.

AnalysisAI

Out-of-bounds heap read in Linux kernel SMB client allows malicious SMB servers to leak kernel memory to userspace via crafted symlink error responses. When processing STATUS_STOPPED_ON_SYMLINK errors in SMB 3.1.1, inadequate bounds checking in smb2_check_message() and symlink_data() allows server-controlled ErrorDataLength values to trigger reads beyond buffer boundaries. The leaked heap bytes are UTF-16-decoded into the symlink target and exposed through readlink(2) syscalls (confidentiality impact), with potential for denial-of-service through memory corruption (availability impact). CVSS 8.1 (High) requires user interaction. EPSS score is very low at 0.02% (5th percentile), indicating minimal observed exploitation activity. Patches available in kernel versions 6.18.24, 6.19.14, and 7.0.1.

Technical ContextAI

This vulnerability affects the Linux kernel's CIFS/SMB client implementation, specifically the error handling path when parsing SMB2/SMB3 symlink error responses (STATUS_STOPPED_ON_SYMLINK). The SMB2 protocol uses error contexts in responses, and the kernel's symlink_data() function walks these contexts with insufficient bounds validation. The root cause is multiple buffer overflow vulnerabilities (tagged as such) where server-controlled length fields (ErrorDataLength, ErrorContextCount) are trusted without validating that subsequent reads remain within allocated memory. The vulnerable code path involves smb2_check_message(), symlink_data(), and smb2_parse_symlink_response(). The flaw manifests when ErrorDataLength positions a pointer within 1-7 bytes of the buffer end, causing the next loop iteration to read ErrorId (offset +4) and ErrorDataLength (offset 0) past the boundary. Additionally, SMB2_SYMLINK_STRUCT_SIZE calculation assumes ErrorContextCount==0, creating incorrect offset calculations when error contexts are present. Each non-matching context shifts the symlink data 8 + ALIGN(ErrorDataLength, 8) bytes deeper, causing substitute name reads to exceed iov_len boundaries.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.24, 6.19.14, 7.0.1, or later stable releases that include the upstream fixes. Distribution-specific packages should be applied via package managers (apt/yum/dnf) once vendors backport the patches. Until patching is complete, implement these compensating controls: (1) Restrict SMB client connections to only trusted, authenticated SMB servers through firewall rules (ports 445/TCP, 139/TCP) - this reduces attack surface but limits functionality if untrusted share access is required. (2) Disable SMB client functionality entirely if not operationally necessary (blacklist cifs.ko kernel module) - side effect is loss of all Windows file share access. (3) Use mount options to restrict symlink traversal (nosymfollow mount option if kernel version supports it) - may break legitimate symlink functionality in shares. (4) Deploy network segmentation to isolate systems mounting external SMB shares from critical infrastructure - reduces blast radius but requires network architecture changes. The primary fix involves correcting loop bounds checks to require full context headers to fit, validating symlink header boundaries, and calculating substitute name offsets based on actual sym->PathBuffer position rather than fixed SMB2_SYMLINK_STRUCT_SIZE offset. Git commits referenced above contain the complete patch details.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31613 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy