From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DC9F53AD503 for ; Wed, 22 Apr 2026 08:15:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776845721; cv=none; b=mPOxhYyeqz73JHU9IJBmgUog4pNtqX4j5xUkf4pAh+XrQTT0Sof3AaGFbSTBnKVCjfr0oMHmIfACu8qCdfIc/MeRxp9hKJNl/Ju7mHtDIUz+KOCAaz+2x2vaeEKFkwr/FUuhTCrgmmlXE7FUugd3AyGtneQejII2DqsBavWu6Os= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776845721; c=relaxed/simple; bh=ytQAV9F898FYSP+4bxtGY05abr7O4H/eSmJ1fkuyPpk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=B0q41ygW+7KD25fxyMNfmxRl5t9wHsJiQ+yFYERRZvM5MQvSX/sZZ9AEusPFcuY8mAZyG9DQE/P27wYLyKbwuFbjPOClFPuOU/heqYD5COxOur68Ph6t3vAe7LdI7+IZ0NTME4iLz/JnsZ0CBwUiHJcG0r5sxZbMKiIsl79bCks= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=nMmbYqT2; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="nMmbYqT2" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2A14DC19425; Wed, 22 Apr 2026 08:15:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1776845720; bh=ytQAV9F898FYSP+4bxtGY05abr7O4H/eSmJ1fkuyPpk=; h=From:To:Cc:Subject:Date:Reply-To:From; b=nMmbYqT2ePNR3gfCrR/rvVkZuhkqW2JZZ5mtezgx/V8zM/aKRMX+SEnlXxsBTSpVl spBpSm6Bqg5oZVC6z/7sz/rPt2AI9gbKtkPAJyCZ3HvrvN/SoKpoOZ714D/YwewfM+ sfrmvOvOQvTaX+hNQ6hy9X8dens9xKbdajgX/RrI= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-31432: ksmbd: fix OOB write in QUERY_INFO for compound requests Date: Wed, 22 Apr 2026 10:15:16 +0200 Message-ID: <2026042216-CVE-2026-31432-e990@gregkh> X-Mailer: git-send-email 2.53.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3083; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=0e2kZJf/mNC24k617sB1tTSnSMjOX94m7wtUIvfN8x0=; b=owGbwMvMwCRo6H6F97bub03G02pJDJkvmqeIiTpfa5hbkhv3mtHx6cQ7HJ4Tv6kcvmVgIXFiv 0/hY0G2jlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZjIxDiGBU1rGRU2tj1ImvLO Uq9S7Oe2Czve/GKYKzCTK8zStdDWf/PDslOLNIU5T0k0AwA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix OOB write in QUERY_INFO for compound requests When a compound request such as READ + QUERY_INFO(Security) is received, and the first command (READ) consumes most of the response buffer, ksmbd could write beyond the allocated buffer while building a security descriptor. The root cause was that smb2_get_info_sec() checked buffer space using ppntsd_size from xattr, while build_sec_desc() often synthesized a significantly larger descriptor from POSIX ACLs. This patch introduces smb_acl_sec_desc_scratch_len() to accurately compute the final descriptor size beforehand, performs proper buffer checking with smb2_calc_max_out_buf_len(), and uses exact-sized allocation + iov pinning. The Linux kernel CVE team has assigned CVE-2026-31432 to this issue. Affected and fixed versions =========================== Issue introduced in 6.6 with commit e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d and fixed in 6.12.81 with commit d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09 Issue introduced in 6.6 with commit e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d and fixed in 6.18.22 with commit 075ea208c648cc2bcd616295b711d3637c61de45 Issue introduced in 6.6 with commit e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d and fixed in 6.19.12 with commit 515c2daab46021221bdf406bef19bc90a44ec617 Issue introduced in 6.6 with commit e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d and fixed in 7.0 with commit fda9522ed6afaec45cabc198d8492270c394c7bc Issue introduced in 5.15.145 with commit f2283680a80571ca82d710bc6ecd8f8beac67d63 Issue introduced in 6.1.71 with commit 9f297df20d93411c0b4ddad7f88ba04a7cd36e77 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-31432 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/smb/server/smb2pdu.c fs/smb/server/smbacl.c fs/smb/server/smbacl.h Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09 https://git.kernel.org/stable/c/075ea208c648cc2bcd616295b711d3637c61de45 https://git.kernel.org/stable/c/515c2daab46021221bdf406bef19bc90a44ec617 https://git.kernel.org/stable/c/fda9522ed6afaec45cabc198d8492270c394c7bc