HIGH
ksmbd EaNameLength OOB
CVE-2026-31612
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
KernelScan AI7.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate EaNameLength in smb2_get_ea() smb2_get_ea() reads ea_req->EaNameLength from the client request and passes it directly to strncmp() as the comparison length without verifying that the length of the name really is the size of the input buffer received. Fix this up by properly checking the size of the name based on the value received and the overall size of the request, to prevent a later strncmp() call to use the length as a "trusted" size of the buffer. Without this check, uninitialized heap values might be slowly leaked to the client.
02KernelScan AI Analysis
Risk summary
Authenticated SMB clients can trigger out-of-bounds heap reads in the ksmbd server by sending malformed EA requests with an EaNameLength exceeding the actual input buffer size. This allows leaking uninitialized kernel heap memory contents to the client (information disclosure) and can cause a kernel panic when the read spans into unmapped pages.
Vulnerability analysis
The smb2_get_ea() function trusts the client-provided EaNameLength value without validating it against the actual InputBufferLength. When a malicious client sends an EA request with EaNameLength larger than the remaining buffer, the subsequent strncmp() call reads beyond the allocated request buffer into uninitialized heap space. Because the attacker controls the length, a sufficiently large value will read into unmapped memory and trigger a kernel oops/panic. The fix adds proper bounds checking to ensure the name length does not exceed the available input buffer before performing string operations.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.175 | 859f11e1bc81 |
| 6.12 | 6.12.83 | 551dfb15b182 |
| 6.18 | 6.18.24 | 3363a770b193 |
| 6.19 | 6.19.14 | 243b206bcb5a |
| 6.6 | 6.6.136 | 4b73376feecb |
| 7.0 | 7.0.1 | dfc6878d14ac |
| mainline | 7.1-rc1 | 66751841212c |