CVE-2026-31712

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: require minimum ACE size in smbcheckperm_dacl()

Both ACE-walk loops in smbcheckperm_dacl() only guard against an under-sized remaining buffer, not against an ACE whose declared ace->size is smaller than the struct it claims to describe:

if (offsetof(struct smbace, accessreq) > acessize) break; acesize = le16tocpu(ace->size); if (acesize > acessize) break;

The first check only requires the 4-byte ACE header to be in bounds; it does not require accessreq (4 bytes at offset 4) to be readable. An attacker who has set a crafted DACL on a file they own can declare ace->size == 4 with acessize == 4, pass both checks, and then

granted |= le32tocpu(ace->accessreq); /* upper loop */ comparesids(&sid, &ace->sid); /* lower loop */

reads accessreq at offset 4 (OOB by up to 4 bytes) and ace->sid at offset 8 (OOB by up to CIFSSIDBASESIZE + SIDMAXSUB_AUTHORITIES * 4 bytes).

Tighten both loops to require

acesize >= offsetof(struct smbace, sid) + CIFSSIDBASE_SIZE

which is the smallest valid on-wire ACE layout (4-byte header + 4-byte accessreq + 8-byte sid base with zero sub-auths). Also reject ACEs whose sid.numsubauth exceeds SIDMAXSUBAUTHORITIES before letting comparesids() dereference sub_auth[] entries.

parsesecdesc() already enforces an equivalent check (lines 441-448); smbcheckperm_dacl() simply grew weaker validation over time.

Reachability: authenticated SMB client with permission to set an ACL on a file. On a subsequent CREATE against that file, the kernel walks the stored DACL via smbcheckperm_dacl() and triggers the OOB read. Not pre-auth, and the OOB read is not reflected to the attacker, but KASAN reports and kernel state corruption are possible.