Cyber Posture

CVE-2026-31709

High

Published: 01 May 2026

Published
01 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0004 12.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31709 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires comprehensive structural validation of server-supplied DACL inputs before processing in SMB client ACL rebuild functions to prevent OOB reads/writes during chmod/chown operations.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the kernel flaw through patching to enforce DACL validation across parse and rewrite paths, directly resolving the vulnerability.

SI-16 Memory Protection partial match
prevent

Provides memory protection mechanisms that mitigate potential exploitation of memory corruption from malformed DACL processing in the SMB client.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

Kernel SMB client OOB read/write in ACL parsing enables RCE on client mount+chmod/chown (T1203) and kernel privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL before rewriting it in cifsacl build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild…

more

the chmod/chown security descriptor. The original fix only checked that the struct smb_acl header fits before reading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate header-field OOB read, but the rewrite helpers still walk ACEs based on pdacl->num_aces with no structural validation of the incoming DACL body. A malicious server can return a truncated DACL that still contains a header, claims one or more ACEs, and then drive replace_sids_and_copy_aces() or set_chmod_dacl() past the validated extent while they compare or copy attacker-controlled ACEs. Factor the DACL structural checks into validate_dacl(), extend them to validate each ACE against the DACL bounds, and use the shared validator before the chmod/chown rebuild paths. parse_dacl() reuses the same validator so the read-side parser and write-side rewrite paths agree on what constitutes a well-formed incoming DACL.

Deeper analysisAI

CVE-2026-31709 is a vulnerability in the Linux kernel's SMB client implementation, specifically affecting the cifsacl handling in functions like build_sec_desc() and id_mode_to_cifs_acl(). These functions derive a DACL pointer from a server-supplied dacloffset and use the incoming ACL to rebuild security descriptors during chmod or chown operations. While a prior fix validated the SMB ACL header to prevent immediate out-of-bounds (OOB) reads, it did not structurally validate the DACL body. A malicious server could supply a truncated DACL with a valid header claiming one or more ACEs, allowing the rewrite helpers—such as replace_sids_and_copy_aces() or set_chmod_dacl()—to process attacker-controlled data beyond the validated extent during ACE comparison or copying.

The vulnerability can be exploited by an unauthenticated attacker (PR:N) over the network (AV:N) who controls an SMB server that a victim Linux system mounts or accesses. Exploitation requires user interaction (UI:R), such as a user-initiated chmod or chown operation on a file or directory within the SMB share, which triggers the insecure DACL rewriting. Successful exploitation leads to high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8, potentially enabling memory corruption, arbitrary code execution, or system crashes due to OOB reads or writes.

The provided patch references detail the mitigation via kernel commits that factor DACL structural validation into a new validate_dacl() function. This extends checks to ensure each ACE fits within DACL bounds, applied consistently before both read-side parsing (parse_dacl()) and write-side rebuild paths for chmod/chown operations. The commits are available at https://git.kernel.org/stable/c/0a8cf165566ba55a39fd0f4de172119dd646d39a and https://git.kernel.org/stable/c/b78db9bddc84136f6a0bb49e8883cf200dfb87a8, resolving the issue by enforcing agreement on well-formed DACL criteria across parser and rewriter paths.

Details

CWE(s)
NVD-CWE-noinfo

Affected Products

linux
linux kernel
5.12 — 7.0.2

CVEs Like This One

CVE-2026-31607Same product: Linux Linux Kernel
CVE-2026-31694Same product: Linux Linux Kernel
CVE-2026-31641Same product: Linux Linux Kernel
CVE-2026-31663Same product: Linux Linux Kernel
CVE-2026-23336Same product: Linux Linux Kernel
CVE-2025-21858Same product: Linux Linux Kernel
CVE-2026-31454Same product: Linux Linux Kernel
CVE-2025-21700Same product: Linux Linux Kernel
CVE-2024-57995Same product: Linux Linux Kernel
CVE-2026-23412Same product: Linux Linux Kernel

References