Home

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix OOB write in QUERY_INFO for compound requests When a compound request such as READ + QUERY_INFO(Security) is received, and the first command (READ) consumes most of the response buffer, ksmbd could write beyond the allocated buffer while building a security descriptor. The root cause was that smb2_get_info_sec() checked buffer space using ppntsd_size from xattr, while build_sec_desc() often synthesized a significantly larger descriptor from POSIX ACLs. This patch introduces smb_acl_sec_desc_scratch_len() to accurately compute the final descriptor size beforehand, performs proper buffer checking with smb2_calc_max_out_buf_len(), and uses exact-sized allocation + iov pinning.

PUBLISHED Reserved 2026-03-09 | Published 2026-04-22 | Updated 2026-04-27 | Assigner Linux




HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Product status

Default status
unaffected

e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d (git) before d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09
affected

e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d (git) before 075ea208c648cc2bcd616295b711d3637c61de45
affected

e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d (git) before 515c2daab46021221bdf406bef19bc90a44ec617
affected

e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d (git) before fda9522ed6afaec45cabc198d8492270c394c7bc
affected

f2283680a80571ca82d710bc6ecd8f8beac67d63 (git)
affected

9f297df20d93411c0b4ddad7f88ba04a7cd36e77 (git)
affected

Default status
affected

6.6
affected

Any version before 6.6
unaffected

6.12.81 (semver)
unaffected

6.18.22 (semver)
unaffected

6.19.12 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09

git.kernel.org/...c/075ea208c648cc2bcd616295b711d3637c61de45

git.kernel.org/...c/515c2daab46021221bdf406bef19bc90a44ec617

git.kernel.org/...c/fda9522ed6afaec45cabc198d8492270c394c7bc

cve.org (CVE-2026-31432)

nvd.nist.gov (CVE-2026-31432)

Download JSON