HIGH
ksmbd QueryInfo OOB
CVE-2026-31432
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI8.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix OOB write in QUERY_INFO for compound requests When a compound request such as READ + QUERY_INFO(Security) is received, and the first command (READ) consumes most of the response buffer, ksmbd could write beyond the allocated buffer while building a security descriptor. The root cause was that smb2_get_info_sec() checked buffer space using ppntsd_size from xattr, while build_sec_desc() often synthesized a significantly larger descriptor from POSIX ACLs. This patch introduces smb_acl_sec_desc_scratch_len() to accurately compute the final descriptor size beforehand, performs proper buffer checking with smb2_calc_max_out_buf_len(), and uses exact-sized allocation + iov pinning.
02KernelScan AI Analysis
Risk summary
Remote authenticated SMB clients can trigger an out-of-bounds write in the ksmbd server when sending compound requests with QUERY_INFO(Security) commands. This can lead to kernel memory corruption, potentially allowing privilege escalation or denial of service. Systems running ksmbd as an SMB file server are at risk.
Vulnerability analysis
The vulnerability occurs in smb2_get_info_sec() when processing compound SMB2 requests like READ + QUERY_INFO(Security). The root cause is a buffer size miscalculation: the function checked available buffer space using ppntsd_size from xattr, but build_sec_desc() often synthesized much larger security descriptors from POSIX ACLs. When the first command (READ) consumed most of the response buffer, the security descriptor construction could write beyond the allocated buffer boundaries. The fix introduces smb_acl_sec_desc_scratch_len() to accurately pre-calculate the required descriptor size, performs proper buffer bounds checking with smb2_calc_max_out_buf_len(), and uses exact-sized allocation with kvzalloc() plus iov pinning to prevent buffer overruns.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.16 | 5.16 | d48c64fb80ad |
| 6.12 | 6.12.81 | 515c2daab460 |
| 6.18 | 6.18.22 | fda9522ed6af |
| 6.19 | 6.19.12 | — |
| 6.2 | 6.2 | 075ea208c648 |
| mainline | 7.0 | — |