CVE-2026-31614
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix off-by-8 bounds check in check_wsl_eas()
The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but ea_data sits at offset sizeof(struct smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp() later reads ea->ea_data[0..nlen-1] and the value bytes follow at ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1
- vlen. Isn't pointer math fun?
The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the 8-byte header is in bounds, but since the last EA is placed within 8 bytes of the end of the response, the name and value bytes are read past the end of iov.
Fix this mess all up by using ea->ea_data as the base for the bounds check.
An "untrusted" server can use this to leak up to 8 bytes of kernel heap into the EA name comparison and influence which WSL xattr the data is interpreted as.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 7449d736bbbd160c76b01b8fcdf72f58a8757d4b < bfbc74df8bbe095b3ed68f6d4487b368af087890 | affected |
| Linux | Linux | ea41367b2a602f602ea6594fc4a310520dcc64f4 < 5cc0574c84aa73946ade587c41e81757b8b01cb5 | affected |
| Linux | Linux | ea41367b2a602f602ea6594fc4a310520dcc64f4 < b2b76d09a64c538c57006180103fc1841e8cfa66 | affected |
| Linux | Linux | ea41367b2a602f602ea6594fc4a310520dcc64f4 < ba3ad159aa61810bbe0acaf39578b1ebfb6f1a18 | affected |
| Linux | Linux | ea41367b2a602f602ea6594fc4a310520dcc64f4 < a893f1757d9a4009e4a8d7ceb2312142fe29cea4 | affected |
| Linux | Linux | ea41367b2a602f602ea6594fc4a310520dcc64f4 < 3d8b9d06bd3ac4c6846f5498800b0f5f8062e53b | affected |
| Linux | Linux | 6.6.32 < 6.6.136 | affected |
| Linux | Linux | 6.9 | affected |
| Linux | Linux | 0 < 6.9 | unaffected |
| Linux | Linux | 6.6.136 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.83 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.24 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.14 <= 6.19.* | unaffected |
| Linux | Linux | 7.0.1 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/bfbc74df8bbe095b3ed68f6d4487b368af087890
- https://git.kernel.org/stable/c/5cc0574c84aa73946ade587c41e81757b8b01cb5
- https://git.kernel.org/stable/c/b2b76d09a64c538c57006180103fc1841e8cfa66
- https://git.kernel.org/stable/c/ba3ad159aa61810bbe0acaf39578b1ebfb6f1a18
- https://git.kernel.org/stable/c/a893f1757d9a4009e4a8d7ceb2312142fe29cea4
- https://git.kernel.org/stable/c/3d8b9d06bd3ac4c6846f5498800b0f5f8062e53b
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.