Skip to main content

Linux ksmbd CVE-2026-31706

| EUVDEUVD-2026-26515 HIGH
2026-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:24 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
8.8 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 15:02 EUVD
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26515
Analysis Generated
May 01, 2026 - 14:22 vuln.today
CVE Published
May 01, 2026 - 14:16 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()

smb_inherit_dacl() trusts the on-disk num_aces value from the parent directory's DACL xattr and uses it to size a heap allocation:

aces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2, ...);

num_aces is a u16 read from le16_to_cpu(parent_pdacl->num_aces) without checking that it is consistent with the declared pdacl_size. An authenticated client whose parent directory's security.NTACL is tampered (e.g. via offline xattr corruption or a concurrent path that bypasses parse_dacl()) can present num_aces = 65535 with minimal actual ACE data. This causes a ~8 MB allocation (not kzalloc, so uninitialized) that the subsequent loop only partially populates, and may also overflow the three-way size_t multiply on 32-bit kernels.

Additionally, the ACE walk loop uses the weaker offsetof(struct smb_ace, access_req) minimum size check rather than the minimum valid on-wire ACE size, and does not reject ACEs whose declared size is below the minimum.

Reproduced on UML + KASAN + LOCKDEP against the real ksmbd code path. A legitimate mount.cifs client creates a parent directory over SMB (ksmbd writes a valid security.NTACL xattr), then the NTACL blob on the backing filesystem is rewritten to set num_aces = 0xFFFF while keeping the posix_acl_hash bytes intact so ksmbd_vfs_get_sd_xattr()'s hash check still passes. A subsequent SMB2 CREATE of a child under that parent drives smb2_open() into smb_inherit_dacl() (share has "vfs objects = acl_xattr" set), which fails the page allocator:

WARNING: mm/page_alloc.c:5226 at __alloc_frozen_pages_noprof+0x46c/0x9c0 Workqueue: ksmbd-io handle_ksmbd_work __alloc_frozen_pages_noprof+0x46c/0x9c0 ___kmalloc_large_node+0x68/0x130 __kmalloc_large_node_noprof+0x24/0x70 __kmalloc_noprof+0x4c9/0x690 smb_inherit_dacl+0x394/0x2430 smb2_open+0x595d/0xabe0 handle_ksmbd_work+0x3d3/0x1140

With the patch applied the added guard rejects the tampered value with -EINVAL before any large allocation runs, smb2_open() falls back to smb2_create_sd_buffer(), and the child is created with a default SD. No warning, no splat.

Fix by:

  1. Validating num_aces against pdacl_size using the same formula

applied in parse_dacl().

  1. Replacing the raw kmalloc(sizeof * num_aces * 2) with

kmalloc_array(num_aces * 2, sizeof(...)) for overflow-safe allocation.

  1. Tightening the per-ACE loop guard to require the minimum valid

ACE size (offsetof(smb_ace, sid) + CIFS_SID_BASE_SIZE) and rejecting under-sized ACEs, matching the hardening in smb_check_perm_dacl() and parse_dacl().

v1 -> v2:

  • Replace the synthetic test-module splat in the changelog with a

real-path UML + KASAN reproduction driven through mount.cifs and SMB2 CREATE; Namjae flagged the kcifs3_test_inherit_dacl_old name in v1 since it does not exist in ksmbd.

  • Drop the commit-hash citation from the code comment per Namjae's

review; keep the parse_dacl() pointer.

AnalysisAI

Buffer overflow in Linux kernel's ksmbd SMB server allows authenticated remote attackers to trigger ~8 MB heap allocation from manipulated NTACL xattr values, potentially leading to memory exhaustion, information disclosure via uninitialized heap memory, or code execution. Exploitation requires low-privilege SMB authentication plus ability to corrupt backing filesystem metadata (offline xattr tampering or race condition). EPSS score of 0.02% indicates minimal observed exploitation activity. Vendor patches available across multiple stable kernel branches (6.12.84, 6.18.25, 7.0.2, 7.1-rc1).

Technical ContextAI

The vulnerability exists in ksmbd, the in-kernel SMB3 server implementation added to Linux 5.15. The smb_inherit_dacl() function processes Windows-style Discretionary Access Control Lists (DACLs) stored in security.NTACL extended attributes on the backing filesystem. When creating child objects, ksmbd inherits ACLs from parent directories by reading the parent's NTACL xattr and allocating memory based on the num_aces (number of Access Control Entries) field-a 16-bit little-endian integer. The code performs a heap allocation sized as sizeof(struct smb_ace) * num_aces * 2 without validating that num_aces is consistent with the declared pdacl_size. This creates a classic integer-to-allocation size mismatch: an attacker-controlled num_aces value of 65535 triggers an 8 MB allocation via kmalloc (not zeroed), but the subsequent ACE-population loop only writes the amount of data actually present in the xattr, leaving most of the allocation uninitialized. On 32-bit kernels, the three-way size_t multiplication can overflow. Additionally, the ACE parsing loop uses insufficiently strict size checks (offsetof rather than minimum valid ACE wire size) and fails to reject undersized ACE structures, creating secondary risks during ACE traversal.

RemediationAI

Upgrade to patched kernel versions: 6.12.84+ for 6.12.x series, 6.18.25+ for 6.18.x series, 7.0.2+ for 7.0.x series, or 7.1-rc1+ for mainline tracking. Verify patch application by checking for commit IDs 59c32abaaec9, 063a7409b0de, 3e5360b422dd, or 3e4e2ea2a781 in your kernel git log. If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Disable ksmbd module entirely if SMB server functionality is not required-eliminates attack surface but breaks SMB file sharing; verify no production workflows depend on ksmbd before disabling. (2) Remove 'vfs objects = acl_xattr' from ksmbd share configurations-prevents inheritance code path from executing but disables Windows ACL support, falling back to POSIX permissions only; acceptable for shares serving Linux/Unix clients, breaks Windows ACL expectations. (3) Deploy filesystem integrity monitoring (e.g., AIDE, Tripwire) to detect offline xattr tampering on ksmbd backing directories-provides detection not prevention; requires investigation workflow for alerts. (4) Restrict filesystem-level access to ksmbd backing directories using MAC policies (SELinux, AppArmor) to prevent authenticated SMB users from gaining local shell access that could enable xattr manipulation-reduces but does not eliminate race-condition risk; requires careful policy tuning to avoid breaking legitimate admin access. Note that blocking SMB ports (445/tcp, 139/tcp) does NOT mitigate this issue as exploitation occurs through legitimate SMB protocol usage post-authentication.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31706 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy