HIGH
smb QueryInfo OOB
CVE-2026-31708
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
KernelScan AI8.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL and the default QUERY_INFO path. The QUERY_INFO branch clamps qi.input_buffer_length to the server-reported OutputBufferLength and then copies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but it never verifies that the flexible-array payload actually fits within rsp_iov[1].iov_len. A malicious server can return OutputBufferLength larger than the actual QUERY_INFO response, causing copy_to_user() to walk past the response buffer and expose adjacent kernel heap to userspace. Guard the QUERY_INFO copy with a bounds check on the actual Buffer payload. Use struct_size(qi_rsp, Buffer, qi.input_buffer_length) rather than an open-coded addition so the guard cannot overflow on 32-bit builds.
02KernelScan AI Analysis
Risk summary
A malicious SMB server can cause the Linux SMB client to read beyond allocated kernel memory buffers when processing QUERY_INFO responses. This can expose sensitive kernel heap data to userspace applications, potentially revealing cryptographic keys, passwords, or other confidential information stored in adjacent memory regions.
Vulnerability analysis
Root Cause: The smb2_ioctl_query_info() function in the QUERY_INFO path trusts the server-reported OutputBufferLength without validating that the actual response buffer contains enough data. It clamps qi.input_buffer_length to OutputBufferLength and then copies that many bytes to userspace, but never checks if the flexible-array payload (qi_rsp->Buffer) actually fits within the received response buffer (rsp_iov[1].iov_len).
Attack Surface: This vulnerability requires a malicious SMB server that can send crafted responses to SMB3 FSCTL queries. The attack is network-based and requires the client to connect to and query the malicious server. No special privileges are required on the client side beyond the ability to perform SMB operations.
Fix Mechanism: The patch adds a bounds check before the copy_to_user() operation. It verifies that struct_size(qi_rsp, Buffer, qi.input_buffer_length) does not exceed rsp_iov[1].iov_len. The struct_size() macro is used instead of manual arithmetic to prevent integer overflow on 32-bit systems. If the bounds check fails, the function returns -EFAULT.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.175 | 1dd757379997 |
| 6.12 | 6.12.84 | ac2f14e4705d |
| 6.18 | 6.18.25 | 078fae8f50ad |
| 6.6 | 6.6.136 | a34d456934fe |
| 7.0 | 7.0.2 | 85fd46ee26a1 |
| mainline | 7.1-rc1 | a58c5af19ff0 |