CVE-2026-31612
Published: 24 April 2026
Summary
CVE-2026-31612 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of kernel flaws like CVE-2026-31612, directly mitigating the vulnerability through available stable kernel patches.
Mandates validation of client-provided input lengths such as EaNameLength against actual buffer and request sizes in ksmbd's smb2_get_ea() to prevent uninitialized heap leakage via strncmp().
Prohibits or restricts unnecessary kernel modules like ksmbd, eliminating network exposure to the vulnerable SMB server for unauthenticated attackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote attacker can send crafted SMB2 requests to the kernel ksmbd service to leak uninitialized heap memory, directly enabling exploitation of a public-facing network service for sensitive data disclosure.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate EaNameLength in smb2_get_ea() smb2_get_ea() reads ea_req->EaNameLength from the client request and passes it directly to strncmp() as the comparison length without verifying that the length of the name…
more
really is the size of the input buffer received. Fix this up by properly checking the size of the name based on the value received and the overall size of the request, to prevent a later strncmp() call to use the length as a "trusted" size of the buffer. Without this check, uninitialized heap values might be slowly leaked to the client.
Deeper analysisAI
CVE-2026-31612 affects the Linux kernel's ksmbd module, which implements the SMB server protocol. The vulnerability resides in the smb2_get_ea() function, where the EaNameLength value from a client request is read and passed directly to strncmp() as the comparison length without validation against the actual size of the input buffer or the overall request size. This flaw can result in the leakage of uninitialized heap memory to the client during the comparison.
An unauthenticated attacker with network access to a vulnerable ksmbd instance can exploit this by sending a crafted SMB2 Get Extended Attributes (EA) request. Successful exploitation allows the attacker to read uninitialized heap values from the kernel, potentially disclosing sensitive information, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Mitigation requires updating to a patched Linux kernel version. The fix validates EaNameLength against the buffer size and request length before using it in strncmp(), preventing the trusted use of potentially invalid lengths. Relevant stable kernel patches are available at https://git.kernel.org/stable/c/243b206bcb5a7137e8bddd57b2eec81e1ebd3859, https://git.kernel.org/stable/c/3363a770b193f555f29d76ddf4ced3305c0ccf6d, https://git.kernel.org/stable/c/4b73376feecb3b61172fe5b4ff42bbbb8531669d, https://git.kernel.org/stable/c/551dfb15b182abad4600eaf7b37e6eb7000d5b1b, and https://git.kernel.org/stable/c/66751841212c2cc196577453c37f7774ff363f02.
Details
- CWE(s)