Skip to main content

Linux kernel ksmbd CVE-2026-31705

| EUVDEUVD-2026-26514 CRITICAL
Out-of-bounds Write (CWE-787)
2026-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:24 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
9.8 (CRITICAL)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 15:02 EUVD
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26514
Analysis Generated
May 01, 2026 - 14:22 vuln.today
CVE Published
May 01, 2026 - 14:16 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment

smb2_get_ea() applies 4-byte alignment padding via memset() after writing each EA entry. The bounds check on buf_free_len is performed before the value memcpy, but the alignment memset fires unconditionally afterward with no check on remaining space.

When the EA value exactly fills the remaining buffer (buf_free_len == 0 after value subtraction), the alignment memset writes 1-3 NUL bytes past the buf_free_len boundary. In compound requests where the response buffer is shared across commands, the first command (e.g., READ) can consume most of the buffer, leaving a tight remainder for the QUERY_INFO EA response. The alignment memset then overwrites past the physical kvmalloc allocation into adjacent kernel heap memory.

Add a bounds check before the alignment memset to ensure buf_free_len can accommodate the padding bytes.

This is the same bug pattern fixed by commit beef2634f81f ("ksmbd: fix potencial OOB in get_file_all_info() for compound requests") and commit fda9522ed6af ("ksmbd: fix OOB write in QUERY_INFO for compound requests"), both of which added bounds checks before unconditional writes in QUERY_INFO response handlers.

AnalysisAI

Out-of-bounds write in Linux kernel's ksmbd SMB server allows memory corruption when processing extended attributes (EA) in QUERY_INFO responses. The smb2_get_ea() function performs 4-byte alignment padding without checking remaining buffer space, causing 1-3 bytes to write past allocation boundaries when EA values exactly fill the response buffer. This occurs in compound SMB2 requests where shared response buffers are tightly constrained. EPSS score of 0.02% suggests minimal observed exploitation activity, though the CVSS 9.8 critical rating reflects the theoretical network-accessible, unauthenticated attack surface. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.84, 7.0.2, 7.1-rc1). Not listed in CISA KEV. This represents the third instance of the same vulnerability pattern in ksmbd QUERY_INFO handlers, following fixes in commits beef2634f81f and fda9522ed6af.

Technical ContextAI

The ksmbd subsystem is an in-kernel SMB2/3 server implementation for Linux, allowing network file sharing via the SMB protocol. The vulnerability resides in smb2_get_ea() within the extended attribute handling code path, specifically when constructing QUERY_INFO responses for EA queries. SMB2 protocol requires 4-byte alignment for EA entries, enforced via memset() padding after each entry's value field. The function checks buf_free_len before memcpy() of the EA value but unconditionally executes the alignment memset() regardless of remaining space. In compound SMB2 requests-where multiple operations share a single response buffer allocated via kvmalloc-a preceding command (e.g., READ) can consume most of the buffer allocation. When the subsequent QUERY_INFO EA response uses the remainder and an EA value exactly exhausts buf_free_len, the alignment write accesses unallocated heap memory adjacent to the kvmalloc'd region. This buffer overflow pattern has recurred in ksmbd's QUERY_INFO handlers, indicating systematic issues with bounds validation in SMB response construction code.

RemediationAI

Apply vendor-released kernel patches immediately for systems with ksmbd enabled: upgrade to Linux 6.6.136+ (stable 6.6.x branch), 6.12.84+ (stable 6.12.x), 6.18.25+ (stable 6.18.x), 7.0.2+ (stable 7.0.x), or 7.1-rc1+ (mainline). Patches available at https://git.kernel.org/stable/c/98f3de6ef4efbd899348d333f0902dc4ff14380c (6.6 series), https://git.kernel.org/stable/c/922d48fe8c19f388ffa2f709f33acaae4e408de2, https://git.kernel.org/stable/c/790304c02bf9bd7b8171feda4294d6e62d32ae8f, https://git.kernel.org/stable/c/ffbce350c6fd1e99116ea57383b9031717e36d3b, and https://git.kernel.org/stable/c/30010c952077a1c89ecdd71fc4d574c75a8f5617. If immediate patching is not feasible, disable ksmbd module via 'rmmod ksmbd' and prevent autoloading by blacklisting in /etc/modprobe.d/blacklist.conf with 'blacklist ksmbd'-this eliminates attack surface entirely with trade-off of losing in-kernel SMB server functionality (migrate to Samba userspace as alternative). If ksmbd must remain active, restrict network access via firewall rules limiting SMB ports 445/139 to trusted management networks only-reduces exposure but does not prevent exploitation from allowed networks. Verify ksmbd status via 'lsmod | grep ksmbd' and check listening ports via 'ss -tlnp | grep 445'.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31705 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy