Cyber Resilience

CVE-2026-31613

HighUpdated

Published: 24 April 2026

Published
24 April 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
EPSS Score 0.0038 29.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31613 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31613 is an out-of-bounds read vulnerability (CWE-125) in the Linux kernel's SMB client implementation, specifically during parsing of symlink error responses. When a CREATE operation returns STATUS_STOPPED_ON_SYMLINK, the smb2_check_message() function returns success without length validation, relying solely on symlink parsers to handle untrusted server data. Flaws in symlink_data() allow reading past the buffer end due to improper loop bounds checking ErrorId and ErrorDataLength fields. Additionally, smb2_parse_symlink_response() uses an incorrect fixed offset for the substitute name bounds check, which shifts with error contexts, enabling heap bytes beyond iov_len to be UTF-16-decoded into the symlink target and exposed to userspace via readlink(2). The vulnerability carries a CVSS v3.1 score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H).

A network-adjacent attacker controlling an SMB server can exploit this by crafting a malicious symlink error response with manipulated ErrorDataLength and error contexts. Exploitation requires user interaction, such as a user accessing the malicious SMB share, triggering the client to process the CREATE response. Successful exploitation results in out-of-bounds heap reads, leaking sensitive kernel heap data to userspace and potentially causing denial of service through crashes, with high confidentiality and availability impacts but no integrity compromise.

Mitigation involves applying upstream Linux kernel patches from the referenced stable commits, which enforce full context header fitting in loops, reject symlink headers extending past buffer ends, and bound substitute name reads against the actual PathBuffer position rather than fixed offsets. These fixes prevent pointer overflows given 16-bit sub_offs and sub_len limits. Security practitioners should update affected kernel versions promptly, as the patches address the root parsing deficiencies.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB reads parsing symlink error response When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message() returns success without any length validation, leaving the symlink parsers as the only defense against…

more

an untrusted server. symlink_data() walks SMB 3.1.1 error contexts with the loop test "p < end", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset 0. When the server-controlled ErrorDataLength advances p to within 1-7 bytes of end, the next iteration will read past it. When the matching context is found, sym->SymLinkErrorTag is read at offset 4 from p->ErrorContextData with no check that the symlink header itself fits. smb2_parse_symlink_response() then bounds-checks the substitute name using SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from iov_base. That value is computed as sizeof(smb2_err_rsp) + sizeof(smb2_symlink_err_rsp), which is correct only when ErrorContextCount == 0. With at least one error context the symlink data sits 8 bytes deeper, and each skipped non-matching context shifts it further by 8 + ALIGN(ErrorDataLength, 8). The check is too short, allowing the substitute name read to run past iov_len. The out-of-bound heap bytes are UTF-16-decoded into the symlink target and returned to userspace via readlink(2). Fix this all up by making the loops test require the full context header to fit, rejecting sym if its header runs past end, and bound the substitute name against the actual position of sym->PathBuffer rather than a fixed offset. Because sub_offs and sub_len are 16bits, the pointer math will not overflow here with the new greater-than.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

CVE describes client-side OOB read in SMB implementation, directly enabling T1203 (Exploitation for Client Execution) via malicious server responses. Requires user interaction to access attacker-controlled share, mapping to T1204.001 (Malicious Link) such as UNC paths that trigger SMB CREATE operations.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31435Same product: Linux Linux Kernel
CVE-2026-31570Same product: Linux Linux Kernel
CVE-2025-21742Same product: Linux Linux Kernel
CVE-2026-23187Same product: Linux Linux Kernel
CVE-2025-71093Same product: Linux Linux Kernel
CVE-2025-71231Same product: Linux Linux Kernel
CVE-2026-31449Same product: Linux Linux Kernel
CVE-2024-57982Same product: Linux Linux Kernel
CVE-2022-49623Same product: Linux Linux Kernel
CVE-2026-23099Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.1 — 6.18.24 · 6.19 — 6.19.14 · 7.0 — 7.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 ensures timely patching of the out-of-bounds read flaw in the Linux kernel SMB client parsing symlink error responses.

prevent

SI-10 enforces rigorous input validation on untrusted SMB server responses to prevent buffer overruns during symlink error context parsing.

prevent

SI-11 mandates proper error handling to reject malformed symlink headers and lengths that could lead to out-of-bounds heap reads.

References