{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31432", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.089Z", "datePublished": "2026-04-22T08:15:10.873Z", "dateUpdated": "2026-05-11T22:08:35.779Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:08:35.779Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix OOB write in QUERY_INFO for compound requests\n\nWhen a compound request such as READ + QUERY_INFO(Security) is received,\nand the first command (READ) consumes most of the response buffer,\nksmbd could write beyond the allocated buffer while building a security\ndescriptor.\n\nThe root cause was that smb2_get_info_sec() checked buffer space using\nppntsd_size from xattr, while build_sec_desc() often synthesized a\nsignificantly larger descriptor from POSIX ACLs.\n\nThis patch introduces smb_acl_sec_desc_scratch_len() to accurately\ncompute the final descriptor size beforehand, performs proper buffer\nchecking with smb2_calc_max_out_buf_len(), and uses exact-sized\nallocation + iov pinning."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/smb2pdu.c", "fs/smb/server/smbacl.c", "fs/smb/server/smbacl.h"], "versions": [{"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d", "lessThan": "d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09", "status": "affected", "versionType": "git"}, {"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d", "lessThan": "075ea208c648cc2bcd616295b711d3637c61de45", "status": "affected", "versionType": "git"}, {"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d", "lessThan": "515c2daab46021221bdf406bef19bc90a44ec617", "status": "affected", "versionType": "git"}, {"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d", "lessThan": "fda9522ed6afaec45cabc198d8492270c394c7bc", "status": "affected", "versionType": "git"}, {"version": "f2283680a80571ca82d710bc6ecd8f8beac67d63", "status": "affected", "versionType": "git"}, {"version": "9f297df20d93411c0b4ddad7f88ba04a7cd36e77", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/smb2pdu.c", "fs/smb/server/smbacl.c", "fs/smb/server/smbacl.h"], "versions": [{"version": "6.6", "status": "affected"}, {"version": "0", "lessThan": "6.6", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.81", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.22", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.12", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.12.81"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.18.22"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.19.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.145"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.71"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09"}, {"url": "https://git.kernel.org/stable/c/075ea208c648cc2bcd616295b711d3637c61de45"}, {"url": "https://git.kernel.org/stable/c/515c2daab46021221bdf406bef19bc90a44ec617"}, {"url": "https://git.kernel.org/stable/c/fda9522ed6afaec45cabc198d8492270c394c7bc"}], "title": "ksmbd: fix OOB write in QUERY_INFO for compound requests", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix OOB write in QUERY_INFO for compound requests\n\nWhen a compound request such as READ + QUERY_INFO(Security) is received,\nand the first command (READ) consumes most of the response buffer,\nksmbd could write beyond the allocated buffer while building a security\ndescriptor.\n\nThe root cause was that smb2_get_info_sec() checked buffer space using\nppntsd_size from xattr, while build_sec_desc() often synthesized a\nsignificantly larger descriptor from POSIX ACLs.\n\nThis patch introduces smb_acl_sec_desc_scratch_len() to accurately\ncompute the final descriptor size beforehand, performs proper buffer\nchecking with smb2_calc_max_out_buf_len(), and uses exact-sized\nallocation + iov pinning."}], "id": "CVE-2026-31432", "lastModified": "2026-04-27T14:16:38.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-22T09:16:21.410", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/075ea208c648cc2bcd616295b711d3637c61de45"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/515c2daab46021221bdf406bef19bc90a44ec617"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fda9522ed6afaec45cabc198d8492270c394c7bc"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: ksmbd: fix OOB write in QUERY_INFO for compound requests", "id": "2460537", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460537"}, "csaw": false, "cwe": "CWE-131", "details": ["A flaw was found in the ksmbd component of the Linux kernel. This vulnerability allows an attacker to cause the system to write data beyond its intended memory boundaries when processing specific network requests. Specifically, when a complex request combines data reading with security information queries, the system might miscalculate the required buffer size. This out-of-bounds write could lead to system instability, a denial of service, or potentially allow an attacker to execute malicious code."], "name": "CVE-2026-31432", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31432\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31432\nhttps://lore.kernel.org/linux-cve-announce/2026042216-CVE-2026-31432-e990@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d,d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d,075ea208c648cc2bcd616295b711d3637c61de45)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d,515c2daab46021221bdf406bef19bc90a44ec617)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d,fda9522ed6afaec45cabc198d8492270c394c7bc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "f2283680a80571ca82d710bc6ecd8f8beac67d63"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "9f297df20d93411c0b4ddad7f88ba04a7cd36e77"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.6"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.6)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.81,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.22,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.12,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T08:27:06.863499+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the ksmbd out\u2011of\u2011bounds write fix (the patch commit addresses the buffer size error).", "If an immediate kernel upgrade is not feasible, block or restrict SMB traffic from untrusted networks using firewall rules and deny SMB connections from unknown hosts.", "If ksmbd is not required for business operations, disable the service or replace it with a non\u2011kernel SMB implementation that does not expose the vulnerable path."], "summary": {"action": "Apply Patch", "impact": "Out-of-bounds write in kernel SMB daemon leading to potential memory corruption and privilege escalation"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include the ksmbd SMB daemon and have not incorporated the patch from commit 075ea208c648cc2bcd616295b711d3637c61de45. Systems running SMB services via ksmbd with exposed interfaces to untrusted clients are affected.", "description_and_impact": "A compound SMB request that performs a READ followed by a QUERY_INFO(Security) operation triggers a buffer overrun in the Linux ksmbd service. During this operation the kernel incorrectly calculates the size of the security descriptor and writes beyond the allocated buffer, creating a memory corruption condition. This flaw can be leveraged by an attacker to corrupt kernel memory, potentially escalating privileges to root. The vulnerability is rooted in an inaccurate buffer size check and improper allocation logic for synthesizing POSIX ACL descriptors.", "risk_and_exploitability": "The flaw can be exploited over SMB traffic, as a crafted SMB compound request could trigger the buffer overrun. This inference is based on the description of the vulnerability in the ksmbd service. The CVSS score is 8.8, classifying this vulnerability as High severity. The EPSS score is < 1% and the vulnerability is not listed in KEV, indicating a low probability of exploitation and no current known exploitation in the wild, but the presence of an out-of-bounds write in kernel space still represents a high severity risk."}}}}, "created": "2026-04-22T09:30:13.308109+00:00", "updated": "2026-04-28T08:30:13.192266+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}