Skip to main content

Linux Kernel CVE-2026-31708

| EUVDEUVD-2026-26517 HIGH
Out-of-bounds Read (CWE-125)
2026-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
8.1
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:25 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
8.1 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 15:02 EUVD
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26517
Analysis Generated
May 01, 2026 - 14:22 vuln.today
CVE Published
May 01, 2026 - 14:16 nvd
HIGH 8.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path

smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL and the default QUERY_INFO path. The QUERY_INFO branch clamps qi.input_buffer_length to the server-reported OutputBufferLength and then copies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but it never verifies that the flexible-array payload actually fits within rsp_iov[1].iov_len.

A malicious server can return OutputBufferLength larger than the actual QUERY_INFO response, causing copy_to_user() to walk past the response buffer and expose adjacent kernel heap to userspace.

Guard the QUERY_INFO copy with a bounds check on the actual Buffer payload. Use struct_size(qi_rsp, Buffer, qi.input_buffer_length) rather than an open-coded addition so the guard cannot overflow on 32-bit builds.

AnalysisAI

A malicious SMB server can trigger out-of-bounds heap memory disclosure in Linux kernel SMB client (CIFS) through crafted QUERY_INFO responses. Vulnerable Linux kernel versions 5.1 through 6.12.84 do not validate server-reported OutputBufferLength against actual response size before copying data to userspace, allowing a rogue SMB server to expose adjacent kernel heap contents. Patches available across stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1). EPSS score of 0.02% indicates low exploitation probability; no active exploitation confirmed. Attack requires user interaction to mount malicious SMB share.

Technical ContextAI

This vulnerability affects the Linux kernel's SMB/CIFS client implementation, specifically the smb2_ioctl_query_info() function handling SMB2 QUERY_INFO responses. The flaw exists in the default QUERY_INFO code path (not PASSTHRU_FSCTL). When processing server responses, the code trusts the server-provided OutputBufferLength field to determine how many bytes to copy from the response buffer (qi_rsp->Buffer) to userspace via copy_to_user(). However, it fails to validate that the flexible-array payload actually fits within the received response buffer (rsp_iov[1].iov_len). This classic bounds-checking failure creates a buffer over-read condition where copy_to_user() can read past the legitimate response buffer into adjacent kernel heap memory. The fix adds a bounds check using struct_size(qi_rsp, Buffer, qi.input_buffer_length) to prevent integer overflow on 32-bit systems and ensures the requested copy length does not exceed the actual buffer size. This represents a trust boundary violation where kernel code incorrectly trusts untrusted network input (SMB server responses) without validation.

RemediationAI

Primary remediation is upgrading to patched kernel versions: 6.6.136 or later for the 6.6.x series, 6.12.84 or later for 6.12.x, 6.18.25 or later for 6.18.x, 7.0.2 or later for 7.0.x, or 7.1-rc1 and beyond. Patches are available from the stable kernel git repository at https://git.kernel.org/stable/c/078fae8f50adebb903ccf2252b44391324571e78 and related commits listed in references. Organizations unable to patch immediately should implement compensating controls: restrict SMB client connections to explicitly trusted servers only via firewall rules (blocks opportunistic attacker-controlled servers but may disrupt legitimate workflows requiring dynamic SMB access); disable the CIFS/SMB kernel module entirely if not required (effective but breaks all SMB functionality); or deploy network monitoring to detect anomalous SMB QUERY_INFO responses with oversized OutputBufferLength fields (requires deep packet inspection and SMB protocol expertise, limited effectiveness against encrypted SMB3). The most practical interim mitigation is user education to avoid mounting untrusted SMB shares combined with network segmentation to prevent connections to attacker-controlled infrastructure. Note that disabling SMBv2/v3 in favor of SMBv1 is not a viable mitigation and introduces worse security risks.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31708 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy