CVE-2026-31432
Published: 22 April 2026
Summary
CVE-2026-31432 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 39.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-31432 is an out-of-bounds (OOB) write vulnerability in the ksmbd module of the Linux kernel, which implements an in-kernel Samba server for SMB/CIFS protocol handling. The issue arises during compound requests, such as READ followed by QUERY_INFO(Security), where the first operation (e.g., READ) consumes most of the response buffer. While building the security descriptor in smb2_get_info_sec(), the code checks available buffer space using a ppntsd_size value from xattr attributes, but build_sec_desc() subsequently generates a much larger descriptor from POSIX ACLs, leading to writes beyond the allocated buffer boundaries.
A remote attacker with low privileges, such as an authenticated SMB user (PR:L), can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables high-impact confidentiality, integrity, and availability effects (C:H/I:H/A:H), with an overall CVSS v3.1 score of 8.8, potentially allowing arbitrary code execution, data corruption, or kernel crashes via crafted compound SMB2 requests.
Mitigation requires applying the upstream Linux kernel patches referenced in the stable repository commits, including 075ea208c648cc2bcd616295b711d3637c61de45, 515c2daab46021221bdf406bef19bc90a44ec617, d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09, and fda9522ed6afaec45cabc198d8492270c394c7bc. These fixes introduce smb_acl_sec_desc_scratch_len() for accurate pre-computation of descriptor sizes, enforce proper buffer checks via smb2_calc_max_out_buf_len(), and use exact-sized allocations with iov pinning to prevent OOB writes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24640
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix OOB write in QUERY_INFO for compound requests When a compound request such as READ + QUERY_INFO(Security) is received, and the first command (READ) consumes most of the response…
more
buffer, ksmbd could write beyond the allocated buffer while building a security descriptor. The root cause was that smb2_get_info_sec() checked buffer space using ppntsd_size from xattr, while build_sec_desc() often synthesized a significantly larger descriptor from POSIX ACLs. This patch introduces smb_acl_sec_desc_scratch_len() to accurately compute the final descriptor size beforehand, performs proper buffer checking with smb2_calc_max_out_buf_len(), and uses exact-sized allocation + iov pinning.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB write in ksmbd SMB server enables remote authenticated users to achieve kernel RCE via crafted SMB2 compound requests, directly mapping to exploitation of remote services (T1210, cf. EternalBlue) and privilege escalation from low-priv SMB account to kernel (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2026-31432 by requiring timely installation of Linux kernel patches that fix the OOB write in ksmbd's security descriptor handling for compound SMB requests.
Implements kernel memory protections like address space randomization and stack canaries to block exploitation of the OOB write vulnerability in ksmbd even if unpatched.
Limits system to least functionality by disabling the unnecessary ksmbd SMB server module, eliminating remote attack surface for the compound request OOB write.