Cyber Resilience

CVE-2026-31612

HighUpdated

Published: 24 April 2026

Published
24 April 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0005 16.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31612 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-31612 affects the Linux kernel's ksmbd module, which implements the SMB server protocol. The vulnerability resides in the smb2_get_ea() function, where the EaNameLength value from a client request is read and passed directly to strncmp() as the comparison length without validation against the actual size of the input buffer or the overall request size. This flaw can result in the leakage of uninitialized heap memory to the client during the comparison.

An unauthenticated attacker with network access to a vulnerable ksmbd instance can exploit this by sending a crafted SMB2 Get Extended Attributes (EA) request. Successful exploitation allows the attacker to read uninitialized heap values from the kernel, potentially disclosing sensitive information, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Mitigation requires updating to a patched Linux kernel version. The fix validates EaNameLength against the buffer size and request length before using it in strncmp(), preventing the trusted use of potentially invalid lengths. Relevant stable kernel patches are available at https://git.kernel.org/stable/c/243b206bcb5a7137e8bddd57b2eec81e1ebd3859, https://git.kernel.org/stable/c/3363a770b193f555f29d76ddf4ced3305c0ccf6d, https://git.kernel.org/stable/c/4b73376feecb3b61172fe5b4ff42bbbb8531669d, https://git.kernel.org/stable/c/551dfb15b182abad4600eaf7b37e6eb7000d5b1b, and https://git.kernel.org/stable/c/66751841212c2cc196577453c37f7774ff363f02.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate EaNameLength in smb2_get_ea() smb2_get_ea() reads ea_req->EaNameLength from the client request and passes it directly to strncmp() as the comparison length without verifying that the length of the name…

more

really is the size of the input buffer received. Fix this up by properly checking the size of the name based on the value received and the overall size of the request, to prevent a later strncmp() call to use the length as a "trusted" size of the buffer. Without this check, uninitialized heap values might be slowly leaked to the client.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote attacker can send crafted SMB2 requests to the kernel ksmbd service to leak uninitialized heap memory, directly enabling exploitation of a public-facing network service for sensitive data disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31649Same product: Linux Linux Kernel
CVE-2026-31668Same product: Linux Linux Kernel
CVE-2026-23455Same product: Linux Linux Kernel
CVE-2026-43186Same product: Linux Linux Kernel
CVE-2026-22984Same product: Linux Linux Kernel
CVE-2026-31414Same product: Linux Linux Kernel
CVE-2026-43037Same product: Linux Linux Kernel
CVE-2026-43055Same product: Linux Linux Kernel
CVE-2026-31718Same product: Linux Linux Kernel
CVE-2026-31478Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.15 — 6.6.136 · 6.7 — 6.12.83 · 6.13 — 6.18.24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and patching of kernel flaws like CVE-2026-31612, directly mitigating the vulnerability through available stable kernel patches.

prevent

Mandates validation of client-provided input lengths such as EaNameLength against actual buffer and request sizes in ksmbd's smb2_get_ea() to prevent uninitialized heap leakage via strncmp().

prevent

Prohibits or restricts unnecessary kernel modules like ksmbd, eliminating network exposure to the vulnerable SMB server for unauthenticated attackers.

References