CVE-2026-31433 (GCVE-0-2026-31433)
Vulnerability from cvelistv5
Published
2026-04-22 08:15
Modified
2026-04-27 14:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix potencial OOB in get_file_all_info() for compound requests
When a compound request consists of QUERY_DIRECTORY + QUERY_INFO
(FILE_ALL_INFORMATION) and the first command consumes nearly the entire
max_trans_size, get_file_all_info() would blindly call smbConvertToUTF16()
with PATH_MAX, causing out-of-bounds write beyond the response buffer.
In get_file_all_info(), there was a missing validation check for
the client-provided OutputBufferLength before copying the filename into
FileName field of the smb2_file_all_info structure.
If the filename length exceeds the available buffer space, it could lead to
potential buffer overflows or memory corruption during smbConvertToUTF16
conversion. This calculating the actual free buffer size using
smb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is
insufficient and updating smbConvertToUTF16 to use the actual filename
length (clamped by PATH_MAX) to ensure a safe copy operation.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f2283680a80571ca82d710bc6ecd8f8beac67d63 Version: 9f297df20d93411c0b4ddad7f88ba04a7cd36e77 Version: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d Version: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d Version: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d Version: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d Version: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3a852f9d1c981fb14f6bf4e24999e0ea8088a7d7",
"status": "affected",
"version": "f2283680a80571ca82d710bc6ecd8f8beac67d63",
"versionType": "git"
},
{
"lessThan": "4cca3eff2099b18672934a39cee70aed835d652c",
"status": "affected",
"version": "9f297df20d93411c0b4ddad7f88ba04a7cd36e77",
"versionType": "git"
},
{
"lessThan": "358cdaa1f7fbf2712cb4c5f6b59cb9a5c673c5fe",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "7aec5a769d2356cbf344d85bcfd36de592ac96a5",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "b0cd9725fe2bcc9f37d096b132318a9060373f5d",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "9d7032851d6f5adbe2739601ca456c0ad3b422f0",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "beef2634f81f1c086208191f7228bce1d366493d",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.145",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1.71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix potencial OOB in get_file_all_info() for compound requests\n\nWhen a compound request consists of QUERY_DIRECTORY + QUERY_INFO\n(FILE_ALL_INFORMATION) and the first command consumes nearly the entire\nmax_trans_size, get_file_all_info() would blindly call smbConvertToUTF16()\nwith PATH_MAX, causing out-of-bounds write beyond the response buffer.\nIn get_file_all_info(), there was a missing validation check for\nthe client-provided OutputBufferLength before copying the filename into\nFileName field of the smb2_file_all_info structure.\nIf the filename length exceeds the available buffer space, it could lead to\npotential buffer overflows or memory corruption during smbConvertToUTF16\nconversion. This calculating the actual free buffer size using\nsmb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is\ninsufficient and updating smbConvertToUTF16 to use the actual filename\nlength (clamped by PATH_MAX) to ensure a safe copy operation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:05.745Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3a852f9d1c981fb14f6bf4e24999e0ea8088a7d7"
},
{
"url": "https://git.kernel.org/stable/c/4cca3eff2099b18672934a39cee70aed835d652c"
},
{
"url": "https://git.kernel.org/stable/c/358cdaa1f7fbf2712cb4c5f6b59cb9a5c673c5fe"
},
{
"url": "https://git.kernel.org/stable/c/7aec5a769d2356cbf344d85bcfd36de592ac96a5"
},
{
"url": "https://git.kernel.org/stable/c/b0cd9725fe2bcc9f37d096b132318a9060373f5d"
},
{
"url": "https://git.kernel.org/stable/c/9d7032851d6f5adbe2739601ca456c0ad3b422f0"
},
{
"url": "https://git.kernel.org/stable/c/beef2634f81f1c086208191f7228bce1d366493d"
}
],
"title": "ksmbd: fix potencial OOB in get_file_all_info() for compound requests",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31433",
"datePublished": "2026-04-22T08:15:11.719Z",
"dateReserved": "2026-03-09T15:48:24.089Z",
"dateUpdated": "2026-04-27T14:03:05.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…