CVE-2026-31712HIGH 8.3EPSS p21.8%
CVE-2026-31712CVE-2026-31712
linux / linux_kernel
Description
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: require minimum ACE size in smb_check_perm_dacl()
Both ACE-walk loops in smb_check_perm_dacl() only guard against an
under-sized remaining buffer, not against an ACE whose declared
`ace->size` is smaller than the struct it claims to describe:
if (offsetof(struct smb_ace, access_req) > aces_size)
break;
ace_size = le16_to_cpu(ace->size);
if (ace_size > aces_size)
break;
The first check only requires the 4-byte ACE header to be in bounds;
it does not require access_req (4 bytes at offset 4) to be readable.
An attacker who has set a crafted DACL on a file they own can declare
ace->size == 4 with aces_size == 4, pass both checks, and then
granted |= le32_to_cpu(ace->access_req); /* upper loop */
compare_sids(&sid, &ace->sid); /* lower loop */
reads access_req at offset 4 (OOB by up to 4 bytes) and ace->sid at
offset 8 (OOB by up to CIFS_SID_BASE_SIZE
Scoring
| CVSS 3.1 | 8.3 (HIGH) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H |
| EPSS | 0.30% probability of exploitation · percentile 21.8% · 2026-06-19T12:03:05Z |
| Published | 2026-05-01 |
| Last modified | 2026-06-19 |
Underlying weaknesses· 1
References
- https://git.kernel.org/stable/c/151b1799861fde38087c08f613abc2843ef597b0
- https://git.kernel.org/stable/c/325d4ac11f526cb8964cff14548ccf02d8c756d8
- https://git.kernel.org/stable/c/90089584b2e25c4510b7b987387b4405f0673ece
- https://git.kernel.org/stable/c/95e5aa3c3261da8c95b27d7aecf8ee39b9f86a4c
- https://git.kernel.org/stable/c/d07b26f39246a82399661936dd0c853983cfade7
1
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Weakness | Out-of-bounds Writecwe-787 | 0% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.