Cyber Resilience

CVE-2026-31432

High

Published: 22 April 2026

Published
22 April 2026
Modified
21 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0051 39.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31432 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 39.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-31432 is an out-of-bounds (OOB) write vulnerability in the ksmbd module of the Linux kernel, which implements an in-kernel Samba server for SMB/CIFS protocol handling. The issue arises during compound requests, such as READ followed by QUERY_INFO(Security), where the first operation (e.g., READ) consumes most of the response buffer. While building the security descriptor in smb2_get_info_sec(), the code checks available buffer space using a ppntsd_size value from xattr attributes, but build_sec_desc() subsequently generates a much larger descriptor from POSIX ACLs, leading to writes beyond the allocated buffer boundaries.

A remote attacker with low privileges, such as an authenticated SMB user (PR:L), can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables high-impact confidentiality, integrity, and availability effects (C:H/I:H/A:H), with an overall CVSS v3.1 score of 8.8, potentially allowing arbitrary code execution, data corruption, or kernel crashes via crafted compound SMB2 requests.

Mitigation requires applying the upstream Linux kernel patches referenced in the stable repository commits, including 075ea208c648cc2bcd616295b711d3637c61de45, 515c2daab46021221bdf406bef19bc90a44ec617, d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09, and fda9522ed6afaec45cabc198d8492270c394c7bc. These fixes introduce smb_acl_sec_desc_scratch_len() for accurate pre-computation of descriptor sizes, enforce proper buffer checks via smb2_calc_max_out_buf_len(), and use exact-sized allocations with iov pinning to prevent OOB writes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix OOB write in QUERY_INFO for compound requests When a compound request such as READ + QUERY_INFO(Security) is received, and the first command (READ) consumes most of the response…

more

buffer, ksmbd could write beyond the allocated buffer while building a security descriptor. The root cause was that smb2_get_info_sec() checked buffer space using ppntsd_size from xattr, while build_sec_desc() often synthesized a significantly larger descriptor from POSIX ACLs. This patch introduces smb_acl_sec_desc_scratch_len() to accurately compute the final descriptor size beforehand, performs proper buffer checking with smb2_calc_max_out_buf_len(), and uses exact-sized allocation + iov pinning.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

OOB write in ksmbd SMB server enables remote authenticated users to achieve kernel RCE via crafted SMB2 compound requests, directly mapping to exploitation of remote services (T1210, cf. EternalBlue) and privilege escalation from low-priv SMB account to kernel (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31712Same product: Linux Linux Kernel
CVE-2026-31402Same product: Linux Linux Kernel
CVE-2022-49062Same product: Linux Linux Kernel
CVE-2023-52980Same product: Linux Linux Kernel
CVE-2021-47642Same product: Linux Linux Kernel
CVE-2022-49581Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2025-71092Same product: Linux Linux Kernel
CVE-2025-21724Same product: Linux Linux Kernel
CVE-2026-23078Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 5.15.145 — 5.16 · 6.1.71 — 6.2 · 6.6 — 6.12.81

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-31432 by requiring timely installation of Linux kernel patches that fix the OOB write in ksmbd's security descriptor handling for compound SMB requests.

prevent

Implements kernel memory protections like address space randomization and stack canaries to block exploitation of the OOB write vulnerability in ksmbd even if unpatched.

prevent

Limits system to least functionality by disabling the unnecessary ksmbd SMB server module, eliminating remote attack surface for the compound request OOB write.

References