CVE-2026-31712
Published: 01 May 2026
Summary
CVE-2026-31712 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the out-of-bounds read flaw in ksmbd's smb_check_perm_dacl() by applying kernel patches that enforce minimum ACE size and SID subauthority checks.
Mandates validation of SMB DACL inputs, including ACE size against struct requirements, to block crafted undersized ACEs causing OOB reads of access_req and sid fields.
Kernel memory protection mechanisms like KASAN detect and report out-of-bounds reads during DACL parsing triggered by malicious ACLs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read in ksmbd kernel SMB ACL parser (triggered post-auth via crafted DACL) directly enables remote kernel exploitation for privilege escalation (T1068) against the exposed SMB service (T1210).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: require minimum ACE size in smb_check_perm_dacl() Both ACE-walk loops in smb_check_perm_dacl() only guard against an under-sized remaining buffer, not against an ACE whose declared `ace->size` is smaller than the…
more
struct it claims to describe: if (offsetof(struct smb_ace, access_req) > aces_size) break; ace_size = le16_to_cpu(ace->size); if (ace_size > aces_size) break; The first check only requires the 4-byte ACE header to be in bounds; it does not require access_req (4 bytes at offset 4) to be readable. An attacker who has set a crafted DACL on a file they own can declare ace->size == 4 with aces_size == 4, pass both checks, and then granted |= le32_to_cpu(ace->access_req); /* upper loop */ compare_sids(&sid, &ace->sid); /* lower loop */ reads access_req at offset 4 (OOB by up to 4 bytes) and ace->sid at offset 8 (OOB by up to CIFS_SID_BASE_SIZE + SID_MAX_SUB_AUTHORITIES * 4 bytes). Tighten both loops to require ace_size >= offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE which is the smallest valid on-wire ACE layout (4-byte header + 4-byte access_req + 8-byte sid base with zero sub-auths). Also reject ACEs whose sid.num_subauth exceeds SID_MAX_SUB_AUTHORITIES before letting compare_sids() dereference sub_auth[] entries. parse_sec_desc() already enforces an equivalent check (lines 441-448); smb_check_perm_dacl() simply grew weaker validation over time. Reachability: authenticated SMB client with permission to set an ACL on a file. On a subsequent CREATE against that file, the kernel walks the stored DACL via smb_check_perm_dacl() and triggers the OOB read. Not pre-auth, and the OOB read is not reflected to the attacker, but KASAN reports and kernel state corruption are possible.
Deeper analysisAI
CVE-2026-31712 is an out-of-bounds read vulnerability in the Linux kernel's ksmbd module, specifically within the smb_check_perm_dacl() function. The issue arises because the ACE-walk loops in this function only check for an under-sized remaining buffer but fail to validate if the declared ace->size is smaller than the struct size it describes. This allows an attacker to craft a DACL with an ACE where ace->size is set to 4 bytes despite aces_size being 4 bytes, passing the existing checks and leading to reads beyond the buffer: access_req at offset 4 (up to 4 bytes OOB) and ace->sid at offset 8 (up to CIFS_SID_BASE_SIZE + SID_MAX_SUB_AUTHORITIES * 4 bytes OOB). The vulnerability has a CVSS v3.1 score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H).
An authenticated SMB client with permission to set an ACL on a file they own can exploit this by crafting and storing a malicious DACL. The exploit triggers on a subsequent CREATE operation against that file, where the kernel walks the DACL via smb_check_perm_dacl() and performs the OOB reads. It is not pre-authentication and the OOB read is not reflected to the attacker, but it can result in KASAN reports or kernel state corruption.
Mitigation involves applying upstream kernel patches, such as those in the referenced stable commits (e.g., https://git.kernel.org/stable/c/151b1799861fde38087c08f613abc2843ef597b0), which enforce a minimum ace_size of offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE for the smallest valid ACE layout and reject ACEs with sid.num_subauth exceeding SID_MAX_SUB_AUTHORITIES before dereferencing sub_auth entries. These fixes align smb_check_perm_dacl() validation with the stronger checks already present in parse_sec_desc().
Details
- CWE(s)