CVE-2026-31708

smb2ioctlqueryinfo() has two response-copy branches: PASSTHRUFSCTL and the default QUERYINFO path. The QUERYINFO branch clamps qi.inputbufferlength to the server-reported OutputBufferLength and then copies qi.inputbufferlength bytes from qirsp->Buffer to userspace, but it never verifies that the flexible-array payload actually fits within rspiov[1].iov_len.

A malicious server can return OutputBufferLength larger than the actual QUERYINFO response, causing copyto_user() to walk past the response buffer and expose adjacent kernel heap to userspace.

Guard the QUERYINFO copy with a bounds check on the actual Buffer payload. Use structsize(qirsp, Buffer, qi.inputbuffer_length) rather than an open-coded addition so the guard cannot overflow on 32-bit builds.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31708.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f5778c398713692a16150ae96e5c8270bab8399f

Fixed

a34d456934fe42e4da5d2cc07787bf418bee99c6

Fixed

ac2f14e4705d020f04e806efa0d49ab8dc2b145f

Fixed

078fae8f50adebb903ccf2252b44391324571e78

Fixed

85fd46ee26a11841c670449508025965f61ce131

Fixed

a58c5af19ff0d6f44f6e9fe31e33a2c92223f77e

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31708.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.1.0

Fixed

6.6.136

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.84

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.25

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

7.0.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31708.json"