CVE-2026-31613HIGH 8.1EPSS p29.5%
CVE-2026-31613CVE-2026-31613
linux / linux_kernel
Description
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix OOB reads parsing symlink error response
When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message()
returns success without any length validation, leaving the symlink
parsers as the only defense against an untrusted server.
symlink_data() walks SMB 3.1.1 error contexts with the loop test "p <
end", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset
0. When the server-controlled ErrorDataLength advances p to within 1-7
bytes of end, the next iteration will read past it. When the matching
context is found, sym->SymLinkErrorTag is read at offset 4 from
p->ErrorContextData with no check that the symlink header itself fits.
smb2_parse_symlink_response() then bounds-checks the substitute name
using SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from
iov_base. That value is computed as sizeof(smb2_err_rsp) +
sizeof(smb2_symlink_err_rsp), which is correct only when
ErrorC
Scoring
| CVSS 3.1 | 8.1 (HIGH) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H |
| EPSS | 0.38% probability of exploitation · percentile 29.5% · 2026-06-18T12:00:27Z |
| Published | 2026-04-24 |
| Last modified | 2026-06-01 |
Underlying weaknesses· 1
References
- https://git.kernel.org/stable/c/20ac98f0eb6047edb73c9a27af782bdde08b3757
- https://git.kernel.org/stable/c/3df690bba28edec865cf7190be10708ad0ddd67e
- https://git.kernel.org/stable/c/781902e069f4ecb6c3b83502f181972c1446110a
- https://git.kernel.org/stable/c/a66ef2e7ed837325c5600f8617d5ee0a0a149fdd
- https://git.kernel.org/stable/c/d65a64755a3df68a2fd19d2a81395e9f723aca23
- https://git.kernel.org/stable/c/e0dd90d14cbbf318157ea8e3fb62ee68a28655ed
1
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Weakness | Out-of-bounds Readcwe-125 | 0% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.