Skip to main content

ksmbd EUVDEUVD-2026-25505

| CVE-2026-31612 HIGH
2026-04-24 Linux GHSA-mgh3-34fv-3j84
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

8
Re-analysis Queued
Apr 29, 2026 - 17:07 vuln.today
cvss_changed
Patch released
Apr 29, 2026 - 17:00 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:35 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.5 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25505
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: validate EaNameLength in smb2_get_ea()

smb2_get_ea() reads ea_req->EaNameLength from the client request and passes it directly to strncmp() as the comparison length without verifying that the length of the name really is the size of the input buffer received.

Fix this up by properly checking the size of the name based on the value received and the overall size of the request, to prevent a later strncmp() call to use the length as a "trusted" size of the buffer. Without this check, uninitialized heap values might be slowly leaked to the client.

AnalysisAI

Information disclosure in Linux kernel's ksmbd SMB server allows remote unauthenticated attackers to leak uninitialized heap memory via malformed SMB2 requests. The vulnerability exists in smb2_get_ea() which fails to validate EaNameLength from client requests before using it in strncmp(), enabling heap content extraction. With EPSS score of 0.02% and no KEV listing, exploitation likelihood remains low despite CVSS 7.5 rating. Patches available across kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1.

Technical ContextAI

ksmbd is the in-kernel SMB3 server implementation for Linux, introduced as a modern alternative to Samba's CIFS VFS for serving files to Windows clients. This vulnerability affects the SMB2 extended attribute (EA) handling code path where smb2_get_ea() processes client requests. The function receives an EA request structure containing EaNameLength field controlled by the client, then uses this untrusted length value directly in strncmp() without boundary validation against the actual received buffer size. Since EaNameLength can exceed the real buffer bounds, strncmp() may read beyond allocated memory into adjacent uninitialized heap regions. This classic out-of-bounds read condition (similar to CWE-125) allows incremental heap memory disclosure through crafted SMB2 EA requests. The vulnerability lies in ksmbd's SMB2 protocol parsing layer where kernel-mode code directly processes network input without adequate input sanitization.

RemediationAI

Upgrade Linux kernel to patched versions: 6.12.83 or later in 6.12.x branch, 6.18.24 or later in 6.18.x branch, 6.19.14 or later in 6.19.x branch, or 7.0.1 or later in 7.0.x branch. Verify patch application by checking for commits 551dfb15b182, 243b206bcb5a, 3363a770b193, or dfc6878d14ac depending on kernel branch at https://git.kernel.org/stable/. If immediate patching is not feasible, disable ksmbd service entirely with 'systemctl stop ksmbd && systemctl disable ksmbd' - this eliminates attack surface but breaks SMB file sharing functionality for Windows clients. Alternative compensating control: restrict network access to ksmbd service (TCP ports 139/445) via firewall rules to trusted client IP ranges only, reducing exposure but not eliminating vulnerability for allowed clients. Side effect: network restrictions may break legitimate SMB access from blocked ranges. For production file servers, patching is strongly preferred over workarounds due to protocol complexity and potential for bypass.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-25505 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy