CVE-2026-31705

Summary

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment

smb2_get_ea() applies 4-byte alignment padding via memset() after writing each EA entry. The bounds check on buf_free_len is performed before the value memcpy, but the alignment memset fires unconditionally afterward with no check on remaining space.

When the EA value exactly fills the remaining buffer (buf_free_len == 0 after value subtraction), the alignment memset writes 1-3 NUL bytes past the buf_free_len boundary. In compound requests where the response buffer is shared across commands, the first command (e.g., READ) can consume most of the buffer, leaving a tight remainder for the QUERY_INFO EA response. The alignment memset then overwrites past the physical kvmalloc allocation into adjacent kernel heap memory.

Add a bounds check before the alignment memset to ensure buf_free_len can accommodate the padding bytes.

This is the same bug pattern fixed by commit beef2634f81f ("ksmbd: fix potencial OOB in get_file_all_info() for compound requests") and commit fda9522ed6af ("ksmbd: fix OOB write in QUERY_INFO for compound requests"), both of which added bounds checks before unconditional writes in QUERY_INFO response handlers.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux9f297df20d93411c0b4ddad7f88ba04a7cd36e77 < ddbbc8b2a09dd2cfed90871313e3691ae1db08a2affected
LinuxLinuxe2b76ab8b5c9327ab2dae6da05d0752eb2f4771d < ffbce350c6fd1e99116ea57383b9031717e36d3baffected
LinuxLinuxe2b76ab8b5c9327ab2dae6da05d0752eb2f4771d < 98f3de6ef4efbd899348d333f0902dc4ff14380caffected
LinuxLinuxe2b76ab8b5c9327ab2dae6da05d0752eb2f4771d < 790304c02bf9bd7b8171feda4294d6e62d32ae8faffected
LinuxLinuxe2b76ab8b5c9327ab2dae6da05d0752eb2f4771d < 922d48fe8c19f388ffa2f709f33acaae4e408de2affected
LinuxLinuxe2b76ab8b5c9327ab2dae6da05d0752eb2f4771d < 30010c952077a1c89ecdd71fc4d574c75a8f5617affected
LinuxLinuxf2283680a80571ca82d710bc6ecd8f8beac67d63affected
LinuxLinux6.1.71 < 6.1.175affected
LinuxLinux5.15.145 < 5.16affected
LinuxLinux6.6affected
LinuxLinux0 < 6.6unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.136 <= 6.6.*unaffected
LinuxLinux6.12.84 <= 6.12.*unaffected
LinuxLinux6.18.25 <= 6.18.*unaffected
LinuxLinux7.0.2 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References