Cyber Resilience

CVE-2026-31433

High

Published: 22 April 2026

Published
22 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0060 44.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31433 is a high-severity an unspecified weakness vulnerability in Kernel (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 44.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31433 is a vulnerability in the Linux kernel's ksmbd module, which implements the SMB server protocol. The issue arises in the get_file_all_info() function during the processing of compound SMB2 requests combining QUERY_DIRECTORY and QUERY_INFO (FILE_ALL_INFORMATION). When the first command in the compound request consumes nearly the entire max_trans_size, the function blindly calls smbConvertToUTF16() with PATH_MAX without validating the client-provided OutputBufferLength. This lack of checks allows filenames exceeding available buffer space to trigger out-of-bounds writes during UTF-16 conversion, potentially leading to buffer overflows or memory corruption.

The vulnerability can be exploited over the network by an authenticated user with low privileges (PR:L), requiring low attack complexity and no user interaction. Successful exploitation could result in high impacts on confidentiality, integrity, and availability (CVSS 8.8: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), enabling memory corruption that might allow arbitrary code execution, data tampering, or denial of service on the affected system.

Mitigation involves applying the upstream kernel patches referenced in the stable repository, including commits such as 358cdaa1f7fbf2712cb4c5f6b59cb9a5c673c5fe, 3a852f9d1c981fb14f6bf4e24999e0ea8088a7d7, 4cca3eff2099b18672934a39cee70aed835d652c, 7aec5a769d2356cbf344d85bcfd36de592ac96a5, and 9d7032851d6f5adbe2739601ca456c0ad3b422f0. These patches add validation of the OutputBufferLength, calculate the actual free buffer size using smb2_calc_max_out_buf_len(), return -EINVAL for insufficient space, and clamp smbConvertToUTF16() to the actual filename length bounded by PATH_MAX.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potencial OOB in get_file_all_info() for compound requests When a compound request consists of QUERY_DIRECTORY + QUERY_INFO (FILE_ALL_INFORMATION) and the first command consumes nearly the entire max_trans_size, get_file_all_info() would…

more

blindly call smbConvertToUTF16() with PATH_MAX, causing out-of-bounds write beyond the response buffer. In get_file_all_info(), there was a missing validation check for the client-provided OutputBufferLength before copying the filename into FileName field of the smb2_file_all_info structure. If the filename length exceeds the available buffer space, it could lead to potential buffer overflows or memory corruption during smbConvertToUTF16 conversion. This calculating the actual free buffer size using smb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is insufficient and updating smbConvertToUTF16 to use the actual filename length (clamped by PATH_MAX) to ensure a safe copy operation.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Vulnerability in remotely accessible ksmbd SMB server enables network exploitation (T1190/T1210) of memory corruption for RCE and kernel-level privilege escalation (T1068) from low-privileged authenticated sessions.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Kernel
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates CVE-2026-31433 by applying kernel patches that add OutputBufferLength validation and safe filename length clamping in ksmbd's get_file_all_info().

prevent

Information input validation enforces checks on client-provided OutputBufferLength and filename sizes before UTF-16 conversion, preventing the buffer overflow in SMB compound requests.

prevent

Memory protection safeguards like ASLR and non-executable stacks mitigate exploitation of the out-of-bounds write leading to memory corruption in the Linux kernel's ksmbd module.

References