CVE-2026-31706

Source
https://cve.org/CVERecord?id=CVE-2026-31706
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31706.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31706
Downstream
Related
Published
2026-05-01T13:56:04.552Z
Modified
2026-06-18T03:56:49.520923104Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()
Details

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: validate numaces and harden ACE walk in smbinherit_dacl()

smbinheritdacl() trusts the on-disk num_aces value from the parent directory's DACL xattr and uses it to size a heap allocation:

acesbase = kmalloc(sizeof(struct smbace) * num_aces * 2, ...);

numaces is a u16 read from le16tocpu(parentpdacl->numaces) without checking that it is consistent with the declared pdaclsize. An authenticated client whose parent directory's security.NTACL is tampered (e.g. via offline xattr corruption or a concurrent path that bypasses parsedacl()) can present numaces = 65535 with minimal actual ACE data. This causes a ~8 MB allocation (not kzalloc, so uninitialized) that the subsequent loop only partially populates, and may also overflow the three-way size_t multiply on 32-bit kernels.

Additionally, the ACE walk loop uses the weaker offsetof(struct smbace, accessreq) minimum size check rather than the minimum valid on-wire ACE size, and does not reject ACEs whose declared size is below the minimum.

Reproduced on UML + KASAN + LOCKDEP against the real ksmbd code path. A legitimate mount.cifs client creates a parent directory over SMB (ksmbd writes a valid security.NTACL xattr), then the NTACL blob on the backing filesystem is rewritten to set numaces = 0xFFFF while keeping the posixaclhash bytes intact so ksmbdvfsgetsdxattr()'s hash check still passes. A subsequent SMB2 CREATE of a child under that parent drives smb2open() into smbinheritdacl() (share has "vfs objects = acl_xattr" set), which fails the page allocator:

WARNING: mm/page_alloc.c:5226 at __allocfrozenpagesnoprof+0x46c/0x9c0 Workqueue: ksmbd-io handleksmbd_work __allocfrozenpages_noprof+0x46c/0x9c0 ___kmalloclargenode+0x68/0x130 __kmalloclargenode_noprof+0x24/0x70 __kmallocnoprof+0x4c9/0x690 smbinheritdacl+0x394/0x2430 smb2open+0x595d/0xabe0 handleksmbdwork+0x3d3/0x1140

With the patch applied the added guard rejects the tampered value with -EINVAL before any large allocation runs, smb2open() falls back to smb2createsdbuffer(), and the child is created with a default SD. No warning, no splat.

Fix by:

  1. Validating numaces against pdaclsize using the same formula applied in parse_dacl().

  2. Replacing the raw kmalloc(sizeof * numaces * 2) with kmallocarray(num_aces * 2, sizeof(...)) for overflow-safe allocation.

  3. Tightening the per-ACE loop guard to require the minimum valid ACE size (offsetof(smbace, sid) + CIFSSIDBASESIZE) and rejecting under-sized ACEs, matching the hardening in smbcheckpermdacl() and parsedacl().

v1 -> v2: - Replace the synthetic test-module splat in the changelog with a real-path UML + KASAN reproduction driven through mount.cifs and SMB2 CREATE; Namjae flagged the kcifs3testinheritdaclold name in v1 since it does not exist in ksmbd. - Drop the commit-hash citation from the code comment per Namjae's review; keep the parse_dacl() pointer.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31706.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Fixed
063a7409b0de46d7c770b65bb0338e6fdb3b1f0a
Fixed
3e5360b422dd741cb315654a191fa73869a37414
Fixed
59c32abaaec9cdd6164811c7e864e72f7554b82d
Fixed
3e4e2ea2a781018ed5d75f969e3e5606beb66e48

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31706.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.15.0
Fixed
6.12.84
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.25
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.2

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31706.json"