Cyber Resilience

CVE-2026-31709

HighUpdated

Published: 01 May 2026

Published
01 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0026 17.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31709 is a high-severity Improper Validation of Consistency within Input (CWE-1288) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31709 is a vulnerability in the Linux kernel's SMB client implementation, specifically affecting the cifsacl handling in functions like build_sec_desc() and id_mode_to_cifs_acl(). These functions derive a DACL pointer from a server-supplied dacloffset and use the incoming ACL to rebuild security descriptors during chmod or chown operations. While a prior fix validated the SMB ACL header to prevent immediate out-of-bounds (OOB) reads, it did not structurally validate the DACL body. A malicious server could supply a truncated DACL with a valid header claiming one or more ACEs, allowing the rewrite helpers—such as replace_sids_and_copy_aces() or set_chmod_dacl()—to process attacker-controlled data beyond the validated extent during ACE comparison or copying.

The vulnerability can be exploited by an unauthenticated attacker (PR:N) over the network (AV:N) who controls an SMB server that a victim Linux system mounts or accesses. Exploitation requires user interaction (UI:R), such as a user-initiated chmod or chown operation on a file or directory within the SMB share, which triggers the insecure DACL rewriting. Successful exploitation leads to high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8, potentially enabling memory corruption, arbitrary code execution, or system crashes due to OOB reads or writes.

The provided patch references detail the mitigation via kernel commits that factor DACL structural validation into a new validate_dacl() function. This extends checks to ensure each ACE fits within DACL bounds, applied consistently before both read-side parsing (parse_dacl()) and write-side rebuild paths for chmod/chown operations. The commits are available at https://git.kernel.org/stable/c/0a8cf165566ba55a39fd0f4de172119dd646d39a and https://git.kernel.org/stable/c/b78db9bddc84136f6a0bb49e8883cf200dfb87a8, resolving the issue by enforcing agreement on well-formed DACL criteria across parser and rewriter paths.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL before rewriting it in cifsacl build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild…

more

the chmod/chown security descriptor. The original fix only checked that the struct smb_acl header fits before reading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate header-field OOB read, but the rewrite helpers still walk ACEs based on pdacl->num_aces with no structural validation of the incoming DACL body. A malicious server can return a truncated DACL that still contains a header, claims one or more ACEs, and then drive replace_sids_and_copy_aces() or set_chmod_dacl() past the validated extent while they compare or copy attacker-controlled ACEs. Factor the DACL structural checks into validate_dacl(), extend them to validate each ACE against the DACL bounds, and use the shared validator before the chmod/chown rebuild paths. parse_dacl() reuses the same validator so the read-side parser and write-side rewrite paths agree on what constitutes a well-formed incoming DACL.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Kernel SMB client OOB read/write in ACL parsing enables RCE on client mount+chmod/chown (T1203) and kernel privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31607Same product: Linux Linux Kernel
CVE-2026-31435Same product: Linux Linux Kernel
CVE-2026-31474Same product: Linux Linux Kernel
CVE-2026-31516Same product: Linux Linux Kernel
CVE-2024-57792Same product: Linux Linux Kernel
CVE-2026-23326Same product: Linux Linux Kernel
CVE-2026-23280Same product: Linux Linux Kernel
CVE-2025-71123Same product: Linux Linux Kernel
CVE-2026-31570Same product: Linux Linux Kernel
CVE-2026-23288Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.12 — 7.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires comprehensive structural validation of server-supplied DACL inputs before processing in SMB client ACL rebuild functions to prevent OOB reads/writes during chmod/chown operations.

prevent

Mandates timely remediation of the kernel flaw through patching to enforce DACL validation across parse and rewrite paths, directly resolving the vulnerability.

prevent

Provides memory protection mechanisms that mitigate potential exploitation of memory corruption from malformed DACL processing in the SMB client.

References