CVE-2026-31706
Published: 01 May 2026
Summary
CVE-2026-31706 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of num_aces against pdacl_size and enforcement of minimum ACE sizes from potentially tampered DACL xattrs to prevent oversized heap allocations.
Provides protections against heap overflows, uninitialized memory exposure, and unsafe allocations in kernel functions like smb_inherit_dacl().
Ensures invalid or undersized ACEs and tampered num_aces values trigger safe error handling without proceeding to partial population of large uninitialized buffers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of the ksmbd SMB service (T1190) by low-priv authenticated clients over SMB2 CREATE; the resulting oversized uninitialized kmalloc directly supports application/system exploitation for DoS via memory exhaustion (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl() smb_inherit_dacl() trusts the on-disk num_aces value from the parent directory's DACL xattr and uses it to size a heap allocation: aces_base…
more
= kmalloc(sizeof(struct smb_ace) * num_aces * 2, ...); num_aces is a u16 read from le16_to_cpu(parent_pdacl->num_aces) without checking that it is consistent with the declared pdacl_size. An authenticated client whose parent directory's security.NTACL is tampered (e.g. via offline xattr corruption or a concurrent path that bypasses parse_dacl()) can present num_aces = 65535 with minimal actual ACE data. This causes a ~8 MB allocation (not kzalloc, so uninitialized) that the subsequent loop only partially populates, and may also overflow the three-way size_t multiply on 32-bit kernels. Additionally, the ACE walk loop uses the weaker offsetof(struct smb_ace, access_req) minimum size check rather than the minimum valid on-wire ACE size, and does not reject ACEs whose declared size is below the minimum. Reproduced on UML + KASAN + LOCKDEP against the real ksmbd code path. A legitimate mount.cifs client creates a parent directory over SMB (ksmbd writes a valid security.NTACL xattr), then the NTACL blob on the backing filesystem is rewritten to set num_aces = 0xFFFF while keeping the posix_acl_hash bytes intact so ksmbd_vfs_get_sd_xattr()'s hash check still passes. A subsequent SMB2 CREATE of a child under that parent drives smb2_open() into smb_inherit_dacl() (share has "vfs objects = acl_xattr" set), which fails the page allocator: WARNING: mm/page_alloc.c:5226 at __alloc_frozen_pages_noprof+0x46c/0x9c0 Workqueue: ksmbd-io handle_ksmbd_work __alloc_frozen_pages_noprof+0x46c/0x9c0 ___kmalloc_large_node+0x68/0x130 __kmalloc_large_node_noprof+0x24/0x70 __kmalloc_noprof+0x4c9/0x690 smb_inherit_dacl+0x394/0x2430 smb2_open+0x595d/0xabe0 handle_ksmbd_work+0x3d3/0x1140 With the patch applied the added guard rejects the tampered value with -EINVAL before any large allocation runs, smb2_open() falls back to smb2_create_sd_buffer(), and the child is created with a default SD. No warning, no splat. Fix by: 1. Validating num_aces against pdacl_size using the same formula applied in parse_dacl(). 2. Replacing the raw kmalloc(sizeof * num_aces * 2) with kmalloc_array(num_aces * 2, sizeof(...)) for overflow-safe allocation. 3. Tightening the per-ACE loop guard to require the minimum valid ACE size (offsetof(smb_ace, sid) + CIFS_SID_BASE_SIZE) and rejecting under-sized ACEs, matching the hardening in smb_check_perm_dacl() and parse_dacl(). v1 -> v2: - Replace the synthetic test-module splat in the changelog with a real-path UML + KASAN reproduction driven through mount.cifs and SMB2 CREATE; Namjae flagged the kcifs3_test_inherit_dacl_old name in v1 since it does not exist in ksmbd. - Drop the commit-hash citation from the code comment per Namjae's review; keep the parse_dacl() pointer.
Deeper analysisAI
CVE-2026-31706 is a vulnerability in the Linux kernel's ksmbd module, specifically in the smb_inherit_dacl() function. This function trusts the on-disk num_aces value (a u16) from the parent directory's DACL xattr without validating it against the declared pdacl_size, leading to an oversized heap allocation of approximately 8 MB using kmalloc (resulting in uninitialized memory). The allocation uses sizeof(struct smb_ace) * num_aces * 2 without overflow protection, which can cause multiplication overflow on 32-bit kernels. Additionally, the ACE walk loop employs a weak minimum size check based on offsetof(struct smb_ace, access_req) and fails to reject undersized ACEs.
An authenticated client with low privileges (PR:L) can exploit this remotely over the network (AV:N) by tampering with the parent directory's security.NTACL xattr, such as through offline corruption or a concurrent path that bypasses parse_dacl(). By setting num_aces to 65535 while retaining minimal actual ACE data and preserving the posix_acl_hash for xattr validation, the attacker triggers smb_inherit_dacl() during an SMB2 CREATE of a child file or directory (on a share with "vfs objects = acl_xattr"). This results in a large uninitialized allocation that is only partially populated, potentially causing page allocator failures, denial of service via memory exhaustion warnings, or exposure of uninitialized memory. The CVSS v3.1 score of 8.8 (High) reflects high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).
The vulnerability was resolved via kernel patches in stable trees, as documented in the referenced commits. Mitigations include validating num_aces against pdacl_size using the formula from parse_dacl(), replacing the raw kmalloc with overflow-safe kmalloc_array(num_aces * 2, sizeof(struct smb_ace)), and strengthening the per-ACE loop to enforce the minimum valid on-wire ACE size (offsetof(smb_ace, sid) + CIFS_SID_BASE_SIZE), rejecting undersized ACEs. With the patch, tampered values are rejected with -EINVAL before allocation, allowing smb2_open() to fall back to smb2_create_sd_buffer() for a default security descriptor without warnings or failures. The issue was reproduced using UML with KASAN and LOCKDEP, simulating real ksmbd paths via mount.cifs and SMB2 CREATE.
Details
- CWE(s)