CVE-2026-31614

HIGH EPSS 2.6%
Published Apr 24, 20262mo ago · Modified Jun 17, 20261w ago
7.1 CVSS 3.1
High
Find Similar
Published Apr 24, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix off-by-8 bounds check in check_wsl_eas() The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but ea_data sits at offset sizeof(struct smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp() later reads ea->ea_data[0..nlen-1] and the value bytes follow at ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1 + vlen. Isn't pointer math fun? The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the 8-byte header is in bounds, but since the last EA is placed within 8 bytes of the end of the response, the name and value bytes are read past the end of iov. Fix this mess all up by using ea->ea_data as the base for the bounds check. An "untrusted" server can use this to leak up to 8 bytes of kernel heap into the EA name comparison and influence which WSL xattr the data is interpreted as.

CVSS Details

Base Score
7.1
Exploitability
1.8
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 5

VendorProductVersionRange
linuxlinux_kernel*≥6.6.32  –  <6.6.136
linuxlinux_kernel*≥6.9  –  <6.12.83
linuxlinux_kernel*≥6.13  –  <6.18.24
linuxlinux_kernel*≥6.19  –  <6.19.14
linuxlinux_kernel*≥7.0  –  <7.0.1

References 6

  • git.kernel.org https://git.kernel.org/stable/c/3d8b9d06bd3ac4c6846f5498800b0f5f8062e53b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5cc0574c84aa73946ade587c41e81757b8b01cb5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a893f1757d9a4009e4a8d7ceb2312142fe29cea4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b2b76d09a64c538c57006180103fc1841e8cfa66
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ba3ad159aa61810bbe0acaf39578b1ebfb6f1a18
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/bfbc74df8bbe095b3ed68f6d4487b368af087890
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/3d8b9d06bd3ac4c6846f5498800b0f5f8062e53b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5cc0574c84aa73946ade587c41e81757b8b01cb5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a893f1757d9a4009e4a8d7ceb2312142fe29cea4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b2b76d09a64c538c57006180103fc1841e8cfa66
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ba3ad159aa61810bbe0acaf39578b1ebfb6f1a18
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/bfbc74df8bbe095b3ed68f6d4487b368af087890
    Patch