CVE-2026-31614
Published: 24 April 2026
Summary
CVE-2026-31614 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely patching of the Linux kernel to remediate the specific off-by-8 bounds check flaw in the SMB client's check_wsl_eas() function.
Mandates validation of untrusted SMB extended attribute inputs to ensure proper bounds checking and prevent out-of-bounds reads into kernel heap.
Provides memory protections such as heap isolation or randomization to mitigate disclosure of kernel heap contents leaked by the bounds check failure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read in SMB client kernel path directly enables kernel heap memory disclosure (T1005); leaked bytes commonly contain pointers usable to defeat KASLR and facilitate kernel privilege-escalation chains (T1068).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix off-by-8 bounds check in check_wsl_eas() The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but…
more
ea_data sits at offset sizeof(struct smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp() later reads ea->ea_data[0..nlen-1] and the value bytes follow at ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1 + vlen. Isn't pointer math fun? The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the 8-byte header is in bounds, but since the last EA is placed within 8 bytes of the end of the response, the name and value bytes are read past the end of iov. Fix this mess all up by using ea->ea_data as the base for the bounds check. An "untrusted" server can use this to leak up to 8 bytes of kernel heap into the EA name comparison and influence which WSL xattr the data is interpreted as.
Deeper analysisAI
CVE-2026-31614 is a bounds check vulnerability in the Linux kernel's SMB client, specifically an off-by-8 error in the check_wsl_eas() function. This flaw occurs when processing extended attribute (EA) information from SMB2 responses, where the bounds check incorrectly calculates the end of the EA name and value using (u8 *)ea + nlen + 1 + vlen, instead of basing it on ea->ea_data, which is offset by 8 bytes (sizeof(struct smb2_file_full_ea_info)) from ea. As a result, the kernel reads past the end of the input/output vector (iov), corresponding to CWE-125 (out-of-bounds read). The issue affects Linux kernel versions prior to the application of the relevant stable patches and is particularly relevant in Windows Subsystem for Linux (WSL) contexts handling xattrs.
An untrusted SMB server can exploit this vulnerability when a local user with low privileges (PR:L) accesses a maliciously crafted SMB share, requiring low attack complexity (AC:L) and no user interaction (UI:N). The attacker can trigger an out-of-bounds read, leaking up to 8 bytes of kernel heap memory into the EA name comparison during strncmp(). This leakage can influence how WSL interprets xattr data. The CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) reflects high confidentiality impact from the infoleak, potential integrity issues via xattr manipulation, and availability impact possibly from crashes due to invalid reads.
Mitigation requires updating to a patched Linux kernel version, as detailed in the upstream stable commits: 3d8b9d06bd3ac4c6846f5498800b0f5f8062e53b, 5cc0574c84aa73946ade587c41e81757b8b01cb5, a893f1757d9a4009e4a8d7ceb2312142fe29cea4, b2b76d09a64c538c57006180103fc1841e8cfa66, and ba3ad159aa61810bbe0acaf39578b1ebfb6f1a18. These patches fix the bounds check by using ea->ea_data as the base, ensuring the EA name, null terminator, and value stay within bounds. Security practitioners should prioritize kernel updates for systems using SMB client functionality, especially in WSL environments.
Details
- CWE(s)