CVE-2026-31611

HIGH EPSS 28.5%
Published Apr 24, 20262mo ago · Modified Jun 17, 20262w ago
8.6 CVSS 3.1
High
Find Similar
Published Apr 24, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: require 3 sub-authorities before reading sub_auth[2] parse_dacl() compares each ACE SID against sid_unix_NFS_mode and on match reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is the prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() compares only min(num_subauth, 2) sub-authorities so a client SID with num_subauth = 2 and sub_auth = {88, 3} will match. If num_subauth = 2 and the ACE is placed at the very end of the security descriptor, sub_auth[2] will be 4 bytes past end_of_acl. The out-of-band bytes will then be masked to the low 9 bits and applied as the file's POSIX mode, probably not something that is good to have happen. Fix this up by forcing the SID to actually carry a third sub-authority before reading it at all.

CVSS Details

Base Score
8.6
Exploitability
3.9
Impact
4.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Low
Availability High

Threat Intelligence

EPSS Exploit Probability
28.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 5

VendorProductVersionRange
linuxlinux_kernel*≥5.15  –  <6.6.136
linuxlinux_kernel*≥6.7  –  <6.12.83
linuxlinux_kernel*≥6.13  –  <6.18.24
linuxlinux_kernel*≥6.19  –  <6.19.14
linuxlinux_kernel*≥7.0  –  <7.0.1

References 7

  • git.kernel.org https://git.kernel.org/stable/c/08f9e6d899b5c834bbcc239eae1bed58d9b15d2c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/46bbcd3ebfb3549c8da1838fc4493e79bd3241e7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/53370cf9090777774e07fd9a8ebce67c6cc333ab
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9401f86a224f37b50e6a3ccf1d46a70d5ef8af0a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b5b5d5936a50497fb151c0b122899a6894721c2b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cf2148b880fb7c0fcd727202dbc4fd5d6998b9c2
  • git.kernel.org https://git.kernel.org/stable/c/d2454f4a002d08560a60f214f392e6491cf11560
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/08f9e6d899b5c834bbcc239eae1bed58d9b15d2c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/46bbcd3ebfb3549c8da1838fc4493e79bd3241e7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/53370cf9090777774e07fd9a8ebce67c6cc333ab
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9401f86a224f37b50e6a3ccf1d46a70d5ef8af0a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b5b5d5936a50497fb151c0b122899a6894721c2b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d2454f4a002d08560a60f214f392e6491cf11560
    Patch