HIGH
ksmbd ACL OOB
CVE-2026-31611
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
KernelScan AI5.3MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: require 3 sub-authorities before reading sub_auth[2] parse_dacl() compares each ACE SID against sid_unix_NFS_mode and on match reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is the prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() compares only min(num_subauth, 2) sub-authorities so a client SID with num_subauth = 2 and sub_auth = {88, 3} will match. If num_subauth = 2 and the ACE is placed at the very end of the security descriptor, sub_auth[2] will be 4 bytes past end_of_acl. The out-of-band bytes will then be masked to the low 9 bits and applied as the file's POSIX mode, probably not something that is good to have happen. Fix this up by forcing the SID to actually carry a third sub-authority before reading it at all.
02KernelScan AI Analysis
Risk summary
Remote SMB clients can trigger an out-of-bounds read in the ksmbd server when processing specially crafted ACL security descriptors. This can lead to limited information disclosure of adjacent kernel memory (via the low 9 bits of the out-of-bounds read) and limited integrity impact (arbitrary POSIX permission bits applied to the target file).
Vulnerability analysis
The vulnerability occurs in parse_dacl() when processing SMB ACL security descriptors. The code compares client-provided SIDs against sid_unix_NFS_mode and reads sid.sub_auth[2] to extract file mode bits. However, compare_sids() only validates min(num_subauth, 2) sub-authorities, allowing a malicious client to craft a SID with num_subauth=2 that matches the prefix but lacks a third sub-authority. When the code attempts to read sub_auth[2], it accesses memory 4 bytes past the end of the ACL buffer. The out-of-bounds 32-bit value is masked to the low 9 bits and applied as the file's POSIX mode, allowing an authenticated remote attacker to both leak limited kernel heap information and set arbitrary permission bits on files they can modify via SMB. The fix adds a bounds check requiring num_subauth >= 3 before accessing sub_auth[2].
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.175 | cf2148b880fb |
| 6.12 | 6.12.83 | 08f9e6d899b5 |
| 6.18 | 6.18.24 | d2454f4a002d |
| 6.19 | 6.19.14 | 46bbcd3ebfb3 |
| 6.6 | 6.6.136 | b5b5d5936a50 |
| 7.0 | 7.0.1 | 9401f86a224f |
| mainline | 7.1-rc1 | 53370cf90907 |