CVE-2026-31712

Summary

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: require minimum ACE size in smb_check_perm_dacl()

Both ACE-walk loops in smb_check_perm_dacl() only guard against an under-sized remaining buffer, not against an ACE whose declared ace->size is smaller than the struct it claims to describe:

if (offsetof(struct smb_ace, access_req) > aces_size) break; ace_size = le16_to_cpu(ace->size); if (ace_size > aces_size) break;

The first check only requires the 4-byte ACE header to be in bounds; it does not require access_req (4 bytes at offset 4) to be readable. An attacker who has set a crafted DACL on a file they own can declare ace->size == 4 with aces_size == 4, pass both checks, and then

granted |= le32_to_cpu(ace->access_req); /* upper loop / compare_sids(&sid, &ace->sid); / lower loop */

reads access_req at offset 4 (OOB by up to 4 bytes) and ace->sid at offset 8 (OOB by up to CIFS_SID_BASE_SIZE + SID_MAX_SUB_AUTHORITIES

  • 4 bytes).

Tighten both loops to require

ace_size >= offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE

which is the smallest valid on-wire ACE layout (4-byte header + 4-byte access_req + 8-byte sid base with zero sub-auths). Also reject ACEs whose sid.num_subauth exceeds SID_MAX_SUB_AUTHORITIES before letting compare_sids() dereference sub_auth[] entries.

parse_sec_desc() already enforces an equivalent check (lines 441-448); smb_check_perm_dacl() simply grew weaker validation over time.

Reachability: authenticated SMB client with permission to set an ACL on a file. On a subsequent CREATE against that file, the kernel walks the stored DACL via smb_check_perm_dacl() and triggers the OOB read. Not pre-auth, and the OOB read is not reflected to the attacker, but KASAN reports and kernel state corruption are possible.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxe2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 < 282cbbb476b9f35793452bc461934af4c7eca169affected
LinuxLinuxe2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 < f20adc4ef7428bc485ee83fd1a592252fb87718baffected
LinuxLinuxe2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 < 325d4ac11f526cb8964cff14548ccf02d8c756d8affected
LinuxLinuxe2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 < 95e5aa3c3261da8c95b27d7aecf8ee39b9f86a4caffected
LinuxLinuxe2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 < 90089584b2e25c4510b7b987387b4405f0673eceaffected
LinuxLinuxe2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 < 151b1799861fde38087c08f613abc2843ef597b0affected
LinuxLinuxe2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 < d07b26f39246a82399661936dd0c853983cfade7affected
LinuxLinux5.15affected
LinuxLinux0 < 5.15unaffected
LinuxLinux5.15.210 <= 5.15.*unaffected
LinuxLinux6.1.176 <= 6.1.*unaffected
LinuxLinux6.6.140 <= 6.6.*unaffected
LinuxLinux6.12.84 <= 6.12.*unaffected
LinuxLinux6.18.25 <= 6.18.*unaffected
LinuxLinux7.0.2 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References