CVE-2026-31611

parsedacl() compares each ACE SID against sidunixNFSmode and on match reads sid.subauth[2] as the file mode. If sidunixNFSmode is the prefix S-1-5-88-3 with numsubauth = 2 then comparesids() compares only min(numsubauth, 2) sub-authorities so a client SID with numsubauth = 2 and sub_auth = {88, 3} will match.

If numsubauth = 2 and the ACE is placed at the very end of the security descriptor, subauth[2] will be 4 bytes past endofacl. The out-of-band bytes will then be masked to the low 9 bits and applied as the file's POSIX mode, probably not something that is good to have happen.

Fix this up by forcing the SID to actually carry a third sub-authority before reading it at all.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31611.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9

Fixed

b5b5d5936a50497fb151c0b122899a6894721c2b

Fixed

08f9e6d899b5c834bbcc239eae1bed58d9b15d2c

Fixed

d2454f4a002d08560a60f214f392e6491cf11560

Fixed

46bbcd3ebfb3549c8da1838fc4493e79bd3241e7

Fixed

9401f86a224f37b50e6a3ccf1d46a70d5ef8af0a

Fixed

53370cf9090777774e07fd9a8ebce67c6cc333ab

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31611.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.15.0

Fixed

6.6.136

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.83

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.24

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.14

Type: ECOSYSTEM
Events: Introduced

6.20.0

Fixed

7.0.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31611.json"