CVE-2026-31705
Published: 01 May 2026
Summary
CVE-2026-31705 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely remediation of the out-of-bounds write flaw in ksmbd's smb2_get_ea() by applying kernel patches that add bounds checks before alignment memset.
Deploys kernel memory protections like ASLR and non-executable memory to mitigate exploitation of heap corruption from the unconditional memset past buffer boundaries.
Restricts system to least functionality by disabling unnecessary ksmbd module, eliminating exposure to crafted SMB2 compound requests triggering the EA alignment OOB write.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in publicly exposed ksmbd SMB service enables remote unauthenticated exploitation (T1190) that achieves kernel memory corruption and arbitrary code execution for privilege escalation (T1068).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment smb2_get_ea() applies 4-byte alignment padding via memset() after writing each EA entry. The bounds check on buf_free_len is performed before the value…
more
memcpy, but the alignment memset fires unconditionally afterward with no check on remaining space. When the EA value exactly fills the remaining buffer (buf_free_len == 0 after value subtraction), the alignment memset writes 1-3 NUL bytes past the buf_free_len boundary. In compound requests where the response buffer is shared across commands, the first command (e.g., READ) can consume most of the buffer, leaving a tight remainder for the QUERY_INFO EA response. The alignment memset then overwrites past the physical kvmalloc allocation into adjacent kernel heap memory. Add a bounds check before the alignment memset to ensure buf_free_len can accommodate the padding bytes. This is the same bug pattern fixed by commit beef2634f81f ("ksmbd: fix potencial OOB in get_file_all_info() for compound requests") and commit fda9522ed6af ("ksmbd: fix OOB write in QUERY_INFO for compound requests"), both of which added bounds checks before unconditional writes in QUERY_INFO response handlers.
Deeper analysisAI
CVE-2026-31705 is an out-of-bounds write vulnerability in the Linux kernel's ksmbd module, which implements an SMB server. The issue resides in the smb2_get_ea() function, where 4-byte alignment padding is applied via memset() after writing each extended attribute (EA) entry. A bounds check occurs before copying the EA value, but the subsequent alignment memset executes unconditionally without verifying remaining buffer space (buf_free_len). If the EA value exactly fills the buffer, the memset writes 1-3 NUL bytes beyond the allocation boundary, potentially into adjacent kernel heap memory. This flaw mirrors patterns fixed in prior commits for similar ksmbd handlers like get_file_all_info() and QUERY_INFO responses.
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity by crafting SMB2 compound requests. In such requests, an initial command (e.g., READ) consumes most of the shared response buffer, leaving minimal space for a subsequent QUERY_INFO EA operation. This triggers the out-of-bounds memset, enabling heap memory corruption. The CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects critical impact, allowing high confidentiality, integrity, and availability disruption, such as kernel crashes or potential code execution via precise heap grooming.
Kernel patches, available in stable trees via the referenced commits (e.g., 30010c952077, 790304c02bf9), mitigate the issue by adding a bounds check before the alignment memset to ensure sufficient buf_free_len for padding bytes. Systems running vulnerable ksmbd versions should apply these updates promptly, as the fix prevents the unconditional write in compound request scenarios.
Details
- CWE(s)