{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31478","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.098Z","datePublished":"2026-04-22T13:54:06.157Z","dateUpdated":"2026-04-27T14:03:32.354Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-04-27T14:03:32.354Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()\n\nAfter this commit (e2b76ab8b5c9 \"ksmbd: add support for read compound\"),\nresponse buffer management was changed to use dynamic iov array.\nIn the new design, smb2_calc_max_out_buf_len() expects the second\nargument (hdr2_len) to be the offset of ->Buffer field in the\nresponse structure, not a hardcoded magic number.\nFix the remaining call sites to use the correct offsetof() value."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/server/smb2pdu.c"],"versions":[{"version":"f2283680a80571ca82d710bc6ecd8f8beac67d63","lessThan":"70b4c414889492c522b6e4331562360f49be2361","status":"affected","versionType":"git"},{"version":"9f297df20d93411c0b4ddad7f88ba04a7cd36e77","lessThan":"9a7166f0ef8cbb7bb48dd05e2471d995566003f5","status":"affected","versionType":"git"},{"version":"e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d","lessThan":"c3a89e3ec1ccf64fa6a34e391e1581ebbcba8683","status":"affected","versionType":"git"},{"version":"e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d","lessThan":"6aef1765d6807e0f027cd87f6ac973eb0879a46d","status":"affected","versionType":"git"},{"version":"e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d","lessThan":"80824c7e527b70cf9039534e60aff592e8f209d1","status":"affected","versionType":"git"},{"version":"e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d","lessThan":"4cb537ae4f37d7d0f617815ed4bed7173fb50861","status":"affected","versionType":"git"},{"version":"e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d","lessThan":"0e55f63dd08f09651d39e1b709a91705a8a0ddcb","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/server/smb2pdu.c"],"versions":[{"version":"6.6","status":"affected"},{"version":"0","lessThan":"6.6","status":"unaffected","versionType":"semver"},{"version":"5.15.203","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.168","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.131","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.80","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.21","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.11","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.145","versionEndExcluding":"5.15.203"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.71","versionEndExcluding":"6.1.168"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.6.131"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.12.80"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.18.21"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.19.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/70b4c414889492c522b6e4331562360f49be2361"},{"url":"https://git.kernel.org/stable/c/9a7166f0ef8cbb7bb48dd05e2471d995566003f5"},{"url":"https://git.kernel.org/stable/c/c3a89e3ec1ccf64fa6a34e391e1581ebbcba8683"},{"url":"https://git.kernel.org/stable/c/6aef1765d6807e0f027cd87f6ac973eb0879a46d"},{"url":"https://git.kernel.org/stable/c/80824c7e527b70cf9039534e60aff592e8f209d1"},{"url":"https://git.kernel.org/stable/c/4cb537ae4f37d7d0f617815ed4bed7173fb50861"},{"url":"https://git.kernel.org/stable/c/0e55f63dd08f09651d39e1b709a91705a8a0ddcb"}],"title":"ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()","x_generator":{"engine":"bippy-1.2.0"}}}}