Skip to main content

Linux kernel ksmbd EUVDEUVD-2026-26521

| CVE-2026-31712 HIGH
Out-of-bounds Write (CWE-787)
2026-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
8.3
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.3 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:26 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
8.3 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 15:02 EUVD
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26521
Analysis Generated
May 01, 2026 - 14:22 vuln.today
CVE Published
May 01, 2026 - 14:16 nvd
HIGH 8.3

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: require minimum ACE size in smb_check_perm_dacl()

Both ACE-walk loops in smb_check_perm_dacl() only guard against an under-sized remaining buffer, not against an ACE whose declared ace->size is smaller than the struct it claims to describe:

if (offsetof(struct smb_ace, access_req) > aces_size) break; ace_size = le16_to_cpu(ace->size); if (ace_size > aces_size) break;

The first check only requires the 4-byte ACE header to be in bounds; it does not require access_req (4 bytes at offset 4) to be readable. An attacker who has set a crafted DACL on a file they own can declare ace->size 4 with aces_size 4, pass both checks, and then

granted |= le32_to_cpu(ace->access_req); /* upper loop */ compare_sids(&sid, &ace->sid); /* lower loop */

reads access_req at offset 4 (OOB by up to 4 bytes) and ace->sid at offset 8 (OOB by up to CIFS_SID_BASE_SIZE + SID_MAX_SUB_AUTHORITIES

  • 4 bytes).

Tighten both loops to require

ace_size >= offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE

which is the smallest valid on-wire ACE layout (4-byte header + 4-byte access_req + 8-byte sid base with zero sub-auths). Also reject ACEs whose sid.num_subauth exceeds SID_MAX_SUB_AUTHORITIES before letting compare_sids() dereference sub_auth[] entries.

parse_sec_desc() already enforces an equivalent check (lines 441-448); smb_check_perm_dacl() simply grew weaker validation over time.

Reachability: authenticated SMB client with permission to set an ACL on a file. On a subsequent CREATE against that file, the kernel walks the stored DACL via smb_check_perm_dacl() and triggers the OOB read. Not pre-auth, and the OOB read is not reflected to the attacker, but KASAN reports and kernel state corruption are possible.

AnalysisAI

Out-of-bounds read in Linux kernel ksmbd allows authenticated SMB clients to trigger memory corruption by crafting malicious DACL ACEs with undersized headers. Attackers with permission to set ACLs on files can cause kernel KASAN reports and state corruption when subsequent CREATE operations walk the stored DACL via smb_check_perm_dacl(). Vendor patches available for kernel versions 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1. EPSS score of 0.02% (5th percentile) indicates low likelihood of mass exploitation despite network attack vector, consistent with the requirement for authenticated access and specific file permission prerequisites.

Technical ContextAI

This vulnerability exists in ksmbd, the in-kernel SMB server implementation introduced in Linux 5.15. The flaw occurs in ACE (Access Control Entry) parsing within smb_check_perm_dacl(), where two validation loops fail to enforce minimum ACE structure sizes. The code only validates the 4-byte ACE header fits within the buffer but does not verify that declared ace->size accommodates the full struct smb_ace layout (header + access_req field + SID structure). SMB ACLs use DACL (Discretionary Access Control Lists) composed of ACE entries following the CIFS/SMB2+ protocol specification, where each ACE contains a header, access mask, and security identifier (SID). The vulnerable loops dereference access_req at offset 4 and sid fields at offset 8+ without confirming these offsets are within the ACE's declared size boundary, creating an out-of-bounds read condition when processing attacker-controlled DACL data structures stored on the filesystem.

RemediationAI

Upgrade Linux kernel to patched versions: 6.12.84 or later in the 6.12.x series, 6.18.25 or later in 6.18.x, 7.0.2 or later in 7.0.x, or 7.1-rc1 and later. Patches available from kernel.org stable tree at commits 90089584b2e25c4510b7b987387b4405f0673ece, 95e5aa3c3261da8c95b27d7aecf8ee39b9f86a4c, 151b1799861fde38087c08f613abc2843ef597b0, and d07b26f39246a82399661936dd0c853983cfade7. If immediate patching is not feasible, disable the ksmbd kernel module (rmmod ksmbd; add ksmbd to module blacklist in /etc/modprobe.d/) and use user-space Samba instead, trading kernel-space performance for elimination of attack surface. Alternatively, restrict SMB access to fully trusted authenticated users only and audit file ACL-setting permissions to prevent untrusted users from modifying DACLs, though this provides defense-in-depth rather than complete mitigation and requires ongoing access control management overhead. Monitor kernel logs for KASAN reports indicating potential exploitation attempts. No workaround exists for environments requiring ksmbd with untrusted authenticated users.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26521 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy