CRITICAL
ksmbd BufferLen Overflow
CVE-2026-31478
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI8.7HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len() After this commit (e2b76ab8b5c9 "ksmbd: add support for read compound"), response buffer management was changed to use dynamic iov array. In the new design, smb2_calc_max_out_buf_len() expects the second argument (hdr2_len) to be the offset of ->Buffer field in the response structure, not a hardcoded magic number. Fix the remaining call sites to use the correct offsetof() value.
02KernelScan AI Analysis
Risk summary
Remote authenticated attackers can exploit incorrect buffer length calculations in the ksmbd SMB server to cause out-of-bounds writes, memory corruption, information disclosure, or denial of service. The vulnerability affects SMB2/3 protocol handling and is reachable after SMB session authentication.
Vulnerability analysis
The root cause is hardcoded magic numbers being passed to smb2_calc_max_out_buf_len() instead of proper offsetof() values after a design change in commit e2b76ab8b5c9. This causes incorrect buffer length calculations for SMB2 response buffers in query directory, EA retrieval, stream info, and IOCTL operations, resulting in out-of-bounds writes on the heap. The fix replaces hardcoded values with correct structure field offsets. The attack surface is network-accessible through the SMB2/3 protocol and requires an authenticated SMB session.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.203 | 70b4c4148894 |
| 6.1 | 6.1.168 | 9a7166f0ef8c |
| 6.12 | 6.12.80 | 6aef1765d680 |
| 6.18 | 6.18.21 | 80824c7e527b |
| 6.19 | 6.19.11 | 4cb537ae4f37 |
| 6.6 | 6.6.131 | c3a89e3ec1cc |
| mainline | 7.0 | 0e55f63dd08f |