In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix off-by-8 bounds check in checkwsleas()
The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but eadata sits at offset sizeof(struct smb2filefulleainfo) = 8 from ea, not at offset 0. The strncmp() later reads ea->eadata[0..nlen-1] and the value bytes follow at eadata[nlen+1..nlen+vlen], so the actual end is ea->eadata + nlen + 1 + vlen. Isn't pointer math fun?
The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the 8-byte header is in bounds, but since the last EA is placed within 8 bytes of the end of the response, the name and value bytes are read past the end of iov.
Fix this mess all up by using ea->ea_data as the base for the bounds check.
An "untrusted" server can use this to leak up to 8 bytes of kernel heap into the EA name comparison and influence which WSL xattr the data is interpreted as.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31614.json"
}