CVE-2026-31613
Published: 24 April 2026
Summary
CVE-2026-31613 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 ensures timely patching of the out-of-bounds read flaw in the Linux kernel SMB client parsing symlink error responses.
SI-10 enforces rigorous input validation on untrusted SMB server responses to prevent buffer overruns during symlink error context parsing.
SI-11 mandates proper error handling to reject malformed symlink headers and lengths that could lead to out-of-bounds heap reads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes client-side OOB read in SMB implementation, directly enabling T1203 (Exploitation for Client Execution) via malicious server responses. Requires user interaction to access attacker-controlled share, mapping to T1204.001 (Malicious Link) such as UNC paths that trigger SMB CREATE operations.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB reads parsing symlink error response When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message() returns success without any length validation, leaving the symlink parsers as the only defense against…
more
an untrusted server. symlink_data() walks SMB 3.1.1 error contexts with the loop test "p < end", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset 0. When the server-controlled ErrorDataLength advances p to within 1-7 bytes of end, the next iteration will read past it. When the matching context is found, sym->SymLinkErrorTag is read at offset 4 from p->ErrorContextData with no check that the symlink header itself fits. smb2_parse_symlink_response() then bounds-checks the substitute name using SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from iov_base. That value is computed as sizeof(smb2_err_rsp) + sizeof(smb2_symlink_err_rsp), which is correct only when ErrorContextCount == 0. With at least one error context the symlink data sits 8 bytes deeper, and each skipped non-matching context shifts it further by 8 + ALIGN(ErrorDataLength, 8). The check is too short, allowing the substitute name read to run past iov_len. The out-of-bound heap bytes are UTF-16-decoded into the symlink target and returned to userspace via readlink(2). Fix this all up by making the loops test require the full context header to fit, rejecting sym if its header runs past end, and bound the substitute name against the actual position of sym->PathBuffer rather than a fixed offset. Because sub_offs and sub_len are 16bits, the pointer math will not overflow here with the new greater-than.
Deeper analysisAI
CVE-2026-31613 is an out-of-bounds read vulnerability (CWE-125) in the Linux kernel's SMB client implementation, specifically during parsing of symlink error responses. When a CREATE operation returns STATUS_STOPPED_ON_SYMLINK, the smb2_check_message() function returns success without length validation, relying solely on symlink parsers to handle untrusted server data. Flaws in symlink_data() allow reading past the buffer end due to improper loop bounds checking ErrorId and ErrorDataLength fields. Additionally, smb2_parse_symlink_response() uses an incorrect fixed offset for the substitute name bounds check, which shifts with error contexts, enabling heap bytes beyond iov_len to be UTF-16-decoded into the symlink target and exposed to userspace via readlink(2). The vulnerability carries a CVSS v3.1 score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H).
A network-adjacent attacker controlling an SMB server can exploit this by crafting a malicious symlink error response with manipulated ErrorDataLength and error contexts. Exploitation requires user interaction, such as a user accessing the malicious SMB share, triggering the client to process the CREATE response. Successful exploitation results in out-of-bounds heap reads, leaking sensitive kernel heap data to userspace and potentially causing denial of service through crashes, with high confidentiality and availability impacts but no integrity compromise.
Mitigation involves applying upstream Linux kernel patches from the referenced stable commits, which enforce full context header fitting in loops, reject symlink headers extending past buffer ends, and bound substitute name reads against the actual PathBuffer position rather than fixed offsets. These fixes prevent pointer overflows given 16-bit sub_offs and sub_len limits. Security practitioners should update affected kernel versions promptly, as the patches address the root parsing deficiencies.
Details
- CWE(s)