HIGH Published 2026-04-24

smb WSL EA OOB

CVE-2026-31614

CVSS 7.1 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

KernelScan AI7.1HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix off-by-8 bounds check in check_wsl_eas() The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but ea_data sits at offset sizeof(struct smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp() later reads ea->ea_data[0..nlen-1] and the value bytes follow at ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1 + vlen. Isn't pointer math fun? The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the 8-byte header is in bounds, but since the last EA is placed within 8 bytes of the end of the response, the name and value bytes are read past the end of iov. Fix this mess all up by using ea->ea_data as the base for the bounds check. An "untrusted" server can use this to leak up to 8 bytes of kernel heap into the EA name comparison and influence which WSL xattr the data is interpreted as.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A malicious SMB server can cause the Linux SMB client to read up to 8 bytes beyond allocated memory when processing Windows Subsystem for Linux (WSL) extended attributes. This can leak sensitive kernel heap data and potentially influence how the client interprets WSL metadata, though it requires connecting to an untrusted SMB server.

Affectedfs/smb/client/smb2inode.c

Vulnerability analysis

Root Cause: The bounds check in check_wsl_eas() incorrectly calculated the end position of Extended Attribute (EA) data by using the EA structure base pointer instead of the ea_data field offset. The check used '(u8 *)ea + nlen + 1 + vlen' but ea_data is located 8 bytes into the structure (sizeof(struct smb2_file_full_ea_info) = 8), causing the bounds check to be off by 8 bytes. This allowed reads beyond the allocated buffer when processing EA names and values.

Attack Surface: Network-accessible through SMB protocol. An untrusted SMB server can craft malicious EA responses to trigger the out-of-bounds read. The vulnerability affects SMB client operations when processing WSL extended attributes, requiring an active SMB connection to a malicious server.

Fix Mechanism: The patch corrects the bounds check by changing the base pointer from 'ea' to 'ea->ea_data', properly accounting for the 8-byte offset of the ea_data field within the smb2_file_full_ea_info structure. This ensures the bounds check accurately reflects where the actual EA name and value data is read from.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.83	`5cc0574c84aa`
6.18	6.18.24	`b2b76d09a64c`
6.19	6.19.14	`ba3ad159aa61`
6.6	6.6.136	`bfbc74df8bbe`
7.0	7.0.1	`a893f1757d9a`
mainline	7.1-rc1	`3d8b9d06bd3a`