CVE-2026-31708
Published: 01 May 2026
Summary
CVE-2026-31708 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses the vulnerability by applying kernel patches that add the missing bounds check on the SMB response buffer payload.
Information input validation requires verifying server-reported OutputBufferLength against the actual response buffer size to prevent out-of-bounds reads during copy_to_user.
Memory protection mechanisms like kernel heap isolation and randomization mitigate the impact of disclosed adjacent kernel heap data from the out-of-bounds read.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read in kernel SMB client enables kernel memory disclosure to userspace (C:H impact) when connecting to malicious server, directly facilitating credential access via memory leaks and privilege escalation via info leaks for further kernel exploitation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL and the default QUERY_INFO path. The QUERY_INFO branch clamps qi.input_buffer_length to the server-reported OutputBufferLength and…
more
then copies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but it never verifies that the flexible-array payload actually fits within rsp_iov[1].iov_len. A malicious server can return OutputBufferLength larger than the actual QUERY_INFO response, causing copy_to_user() to walk past the response buffer and expose adjacent kernel heap to userspace. Guard the QUERY_INFO copy with a bounds check on the actual Buffer payload. Use struct_size(qi_rsp, Buffer, qi.input_buffer_length) rather than an open-coded addition so the guard cannot overflow on 32-bit builds.
Deeper analysisAI
CVE-2026-31708 is an out-of-bounds read vulnerability in the Linux kernel's SMB client, specifically in the smb2_ioctl_query_info() function when handling the QUERY_INFO path. The flaw occurs because the function clamps qi.input_buffer_length to the server-reported OutputBufferLength and copies that length from the response buffer to userspace without verifying that the flexible-array payload fits within rsp_iov[1].iov_len. A malicious server can thus trigger reads beyond the response buffer, exposing adjacent kernel heap memory.
A remote attacker who controls a malicious SMB server can exploit this by returning an OutputBufferLength larger than the actual QUERY_INFO response buffer. Exploitation requires user interaction, such as a victim mounting the share or issuing an SMB2 ioctl query via the Linux kernel's SMB client. This results in kernel heap data leakage to userspace, with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H), enabling high-impact confidentiality violations and potential denial of service through crashes.
Mitigation patches are available in multiple Linux kernel stable branches, as detailed in the referenced git commits (e.g., 078fae8f50adebb903ccf2252b44391324571e78). These fixes add a bounds check on the actual Buffer payload using struct_size(qi_rsp, Buffer, qi.input_buffer_length) to prevent overflow, particularly on 32-bit builds, and ensure the copy_to_user() operation stays within the response buffer. Security practitioners should update affected kernels promptly.
Details
- CWE(s)