CVE-2026-31707

Source
https://cve.org/CVERecord?id=CVE-2026-31707
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31707.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31707
Downstream
Related
Published
2026-05-01T13:56:05.219Z
Modified
2026-06-18T03:56:13.275386391Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
Summary
ksmbd: validate response sizes in ipc_validate_msg()
Details

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: validate response sizes in ipcvalidatemsg()

ipcvalidatemsg() computes the expected message size for each response type by adding (or multiplying) attacker-controlled fields from the daemon response to a fixed struct size in unsigned int arithmetic. Three cases can overflow:

KSMBDEVENTRPCREQUEST: msgsz = sizeof(struct ksmbdrpccommand) + resp->payloadsz; KSMBDEVENTSHARECONFIGREQUEST: msgsz = sizeof(struct ksmbdshareconfigresponse) + resp->payloadsz; KSMBDEVENTLOGINREQUESTEXT: msgsz = sizeof(struct ksmbdloginresponseext) + resp->ngroups * sizeof(gid_t);

resp->payload_sz is __u32 and resp->ngroups is __s32. Each addition can wrap in unsigned int; the multiplication by sizeof(gidt) mixes signed and sizet, so a negative ngroups is converted to SIZEMAX before the multiply. A wrapped value of msgsz that happens to equal entry->msgsz bypasses the size check on the next line, and downstream consumers (smb2pdu.c:6742 memcpy using rpcresp->payloadsz, kmemdup in ksmbdallocuser using respext->ngroups) then trust the unverified length.

Use checkaddoverflow() on the RPCREQUEST and SHARECONFIGREQUEST paths to detect integer overflow without constraining functional payload size; userspace ksmbd-tools grows NDR responses in 4096-byte chunks for calls like NetShareEnumAll, so a hard transport cap is unworkable on the response side. For LOGINREQUESTEXT, reject resp->ngroups outside the signed [0, NGROUPSMAX] range up front and report the error from ipcvalidatemsg() so it fires at the IPC boundary; with that bound the subsequent multiplication and addition stay well below UINTMAX. The now-redundant ngroups check and prerr in ksmbdallocuser() are removed.

This is the response-side analogue of aab98e2dbd64 ("ksmbd: fix integer overflows on 32 bit systems"), which hardened the request side.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31707.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0626e6641f6b467447c81dd7678a69c66f7746cf
Fixed
bf396208418371174869baba9434535cd3288e80
Fixed
7dd0c858e1909769a4c91842724315ee74f1a5f1
Fixed
299db777ea0cfa5c407e41b045c24a14c034c27b
Fixed
99c631d0366c1eab8fb188fe66425f4581ebdde4
Fixed
d6a6aa81eac2c9bff66dc6e191179cb69a14426b

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31707.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.15.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.84
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.25
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.2

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31707.json"