{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31705","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.132Z","datePublished":"2026-05-01T13:56:03.896Z","dateUpdated":"2026-05-11T22:14:09.848Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:14:09.848Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment\n\nsmb2_get_ea() applies 4-byte alignment padding via memset() after\nwriting each EA entry. The bounds check on buf_free_len is performed\nbefore the value memcpy, but the alignment memset fires unconditionally\nafterward with no check on remaining space.\n\nWhen the EA value exactly fills the remaining buffer (buf_free_len == 0\nafter value subtraction), the alignment memset writes 1-3 NUL bytes\npast the buf_free_len boundary. In compound requests where the response\nbuffer is shared across commands, the first command (e.g., READ) can\nconsume most of the buffer, leaving a tight remainder for the QUERY_INFO\nEA response. The alignment memset then overwrites past the physical\nkvmalloc allocation into adjacent kernel heap memory.\n\nAdd a bounds check before the alignment memset to ensure buf_free_len\ncan accommodate the padding bytes.\n\nThis is the same bug pattern fixed by commit beef2634f81f (\"ksmbd: fix\npotencial OOB in get_file_all_info() for compound requests\") and\ncommit fda9522ed6af (\"ksmbd: fix OOB write in QUERY_INFO for compound\nrequests\"), both of which added bounds checks before unconditional\nwrites in QUERY_INFO response handlers."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/server/smb2pdu.c"],"versions":[{"version":"e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d","lessThan":"ffbce350c6fd1e99116ea57383b9031717e36d3b","status":"affected","versionType":"git"},{"version":"e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d","lessThan":"98f3de6ef4efbd899348d333f0902dc4ff14380c","status":"affected","versionType":"git"},{"version":"e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d","lessThan":"790304c02bf9bd7b8171feda4294d6e62d32ae8f","status":"affected","versionType":"git"},{"version":"e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d","lessThan":"922d48fe8c19f388ffa2f709f33acaae4e408de2","status":"affected","versionType":"git"},{"version":"e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d","lessThan":"30010c952077a1c89ecdd71fc4d574c75a8f5617","status":"affected","versionType":"git"},{"version":"f2283680a80571ca82d710bc6ecd8f8beac67d63","status":"affected","versionType":"git"},{"version":"9f297df20d93411c0b4ddad7f88ba04a7cd36e77","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/server/smb2pdu.c"],"versions":[{"version":"6.6","status":"affected"},{"version":"0","lessThan":"6.6","status":"unaffected","versionType":"semver"},{"version":"6.6.136","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.84","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.25","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.2","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1-rc1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.6.136"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.12.84"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.18.25"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"7.0.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"7.1-rc1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.145"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.71"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ffbce350c6fd1e99116ea57383b9031717e36d3b"},{"url":"https://git.kernel.org/stable/c/98f3de6ef4efbd899348d333f0902dc4ff14380c"},{"url":"https://git.kernel.org/stable/c/790304c02bf9bd7b8171feda4294d6e62d32ae8f"},{"url":"https://git.kernel.org/stable/c/922d48fe8c19f388ffa2f709f33acaae4e408de2"},{"url":"https://git.kernel.org/stable/c/30010c952077a1c89ecdd71fc4d574c75a8f5617"}],"title":"ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment","x_generator":{"engine":"bippy-1.2.0"}}}}