{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31709","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.133Z","datePublished":"2026-05-01T13:56:06.522Z","dateUpdated":"2026-05-11T22:14:14.461Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:14:14.461Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: validate the whole DACL before rewriting it in cifsacl\n\nbuild_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a\nserver-supplied dacloffset and then use the incoming ACL to rebuild the\nchmod/chown security descriptor.\n\nThe original fix only checked that the struct smb_acl header fits before\nreading dacl_ptr->size or dacl_ptr->num_aces.  That avoids the immediate\nheader-field OOB read, but the rewrite helpers still walk ACEs based on\npdacl->num_aces with no structural validation of the incoming DACL body.\n\nA malicious server can return a truncated DACL that still contains a\nheader, claims one or more ACEs, and then drive\nreplace_sids_and_copy_aces() or set_chmod_dacl() past the validated\nextent while they compare or copy attacker-controlled ACEs.\n\nFactor the DACL structural checks into validate_dacl(), extend them to\nvalidate each ACE against the DACL bounds, and use the shared validator\nbefore the chmod/chown rebuild paths.  parse_dacl() reuses the same\nvalidator so the read-side parser and write-side rewrite paths agree on\nwhat constitutes a well-formed incoming DACL."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/client/cifsacl.c"],"versions":[{"version":"bc3e9dd9d104ca1b75644eab87b38ce8a924aef4","lessThan":"d92f3f0b22414e7515696a02224d0af55e3004a3","status":"affected","versionType":"git"},{"version":"bc3e9dd9d104ca1b75644eab87b38ce8a924aef4","lessThan":"b78db9bddc84136f6a0bb49e8883cf200dfb87a8","status":"affected","versionType":"git"},{"version":"bc3e9dd9d104ca1b75644eab87b38ce8a924aef4","lessThan":"0a8cf165566ba55a39fd0f4de172119dd646d39a","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/client/cifsacl.c"],"versions":[{"version":"5.12","status":"affected"},{"version":"0","lessThan":"5.12","status":"unaffected","versionType":"semver"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"7.0.2","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1-rc1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"6.12.86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"7.0.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"7.1-rc1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/d92f3f0b22414e7515696a02224d0af55e3004a3"},{"url":"https://git.kernel.org/stable/c/b78db9bddc84136f6a0bb49e8883cf200dfb87a8"},{"url":"https://git.kernel.org/stable/c/0a8cf165566ba55a39fd0f4de172119dd646d39a"}],"title":"smb: client: validate the whole DACL before rewriting it in cifsacl","x_generator":{"engine":"bippy-1.2.0"}}}}