Skip to main content

Linux Kernel CVE-2026-31709

| EUVDEUVD-2026-26518 HIGH
Improper Validation of Consistency within Input (CWE-1288)
2026-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
8.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.1 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:25 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
8.8 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 15:02 EUVD
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26518
Analysis Generated
May 01, 2026 - 14:22 vuln.today
CVE Published
May 01, 2026 - 14:16 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

smb: client: validate the whole DACL before rewriting it in cifsacl

build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild the chmod/chown security descriptor.

The original fix only checked that the struct smb_acl header fits before reading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate header-field OOB read, but the rewrite helpers still walk ACEs based on pdacl->num_aces with no structural validation of the incoming DACL body.

A malicious server can return a truncated DACL that still contains a header, claims one or more ACEs, and then drive replace_sids_and_copy_aces() or set_chmod_dacl() past the validated extent while they compare or copy attacker-controlled ACEs.

Factor the DACL structural checks into validate_dacl(), extend them to validate each ACE against the DACL bounds, and use the shared validator before the chmod/chown rebuild paths. parse_dacl() reuses the same validator so the read-side parser and write-side rewrite paths agree on what constitutes a well-formed incoming DACL.

AnalysisAI

Remote unauthenticated attackers can trigger out-of-bounds memory access in the Linux kernel SMB client's DACL parsing code by sending a malicious SMB response with a truncated DACL structure. The vulnerability exists in build_sec_desc() and id_mode_to_cifs_acl() functions which insufficiently validate server-supplied ACL data before rewriting it during chmod/chown operations, allowing ACE traversal beyond validated memory bounds. CVSS 8.8 indicates high severity with network vector requiring user interaction. EPSS score of 0.02% (5th percentile) suggests low observed exploitation probability in the wild, and no active exploitation is confirmed (not in CISA KEV). Vendor patch available targeting Linux kernel 7.0.2 and 7.1-rc1.

Technical ContextAI

This vulnerability affects the Linux kernel CIFS (Common Internet File System) client implementation, specifically the ACL (Access Control List) handling in cifsacl code. When the SMB client processes DACL (Discretionary Access Control List) structures from SMB servers during security descriptor operations, the parsing functions build_sec_desc() and id_mode_to_cifs_acl() extract a DACL pointer from a server-supplied dacloffset field. The original code validated only the smb_acl header structure but failed to validate the complete DACL body before functions like replace_sids_and_copy_aces() or set_chmod_dacl() iterate through ACEs (Access Control Entries) based on the num_aces field. This creates a classic TOCTOU (time-of-check-time-of-use) gap where header validation occurs but subsequent ACE traversal operations assume well-formed data. The fix introduces a centralized validate_dacl() function that performs complete structural validation of both DACL headers and individual ACE boundaries, ensuring parse_dacl() and the chmod/chown rewrite paths use consistent validation logic.

RemediationAI

Upgrade to Linux kernel version 7.0.2 or later, or apply the vendor-supplied patches from stable kernel tree (commits 0a8cf165566ba55a39fd0f4de172119dd646d39a or b78db9bddc84136f6a0bb49e8883cf200dfb87a8). Distribution users should apply security updates from their vendor (Red Hat RHSA, Ubuntu USN, Debian DSA, SUSE updates) that backport the validate_dacl() fix to their kernel branches. For systems unable to patch immediately, implement network-level controls restricting SMB client connections to only trusted authenticated internal servers via firewall rules blocking outbound TCP 445/139 to untrusted networks. Alternatively, disable CIFS kernel module (rmmod cifs; echo 'blacklist cifs' >> /etc/modprobe.d/blacklist.conf) if SMB client functionality is not required, though this breaks legitimate SMB mount operations. Organizations can also restrict user privileges to mount filesystems via fstab policies and mount namespace restrictions, preventing unprivileged users from connecting to arbitrary SMB servers, though administrative users retain the capability. Each workaround trades SMB client functionality for reduced attack surface.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31709 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy