CVE-2026-31705

Published: Mag 01, 2026 Last Modified: Mag 03, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,8

Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment

smb2_get_ea() applies 4-byte alignment padding via memset() after
writing each EA entry. The bounds check on buf_free_len is performed
before the value memcpy, but the alignment memset fires unconditionally
afterward with no check on remaining space.

When the EA value exactly fills the remaining buffer (buf_free_len == 0
after value subtraction), the alignment memset writes 1-3 NUL bytes
past the buf_free_len boundary. In compound requests where the response
buffer is shared across commands, the first command (e.g., READ) can
consume most of the buffer, leaving a tight remainder for the QUERY_INFO
EA response. The alignment memset then overwrites past the physical
kvmalloc allocation into adjacent kernel heap memory.

Add a bounds check before the alignment memset to ensure buf_free_len
can accommodate the padding bytes.

This is the same bug pattern fixed by commit beef2634f81f ('ksmbd: fix
potencial OOB in get_file_all_info() for compound requests') and
commit fda9522ed6af ('ksmbd: fix OOB write in QUERY_INFO for compound
requests'), both of which added bounds checks before unconditional
writes in QUERY_INFO response handlers.