CVE-2026-31708

HIGH EPSS 22.3%
Published May 1, 20261mo ago · Modified Jun 19, 20261w ago
8.1 CVSS 3.1
High
Find Similar
Published May 1, 2026 1mo ago
Last Modified Jun 19, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL and the default QUERY_INFO path. The QUERY_INFO branch clamps qi.input_buffer_length to the server-reported OutputBufferLength and then copies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but it never verifies that the flexible-array payload actually fits within rsp_iov[1].iov_len. A malicious server can return OutputBufferLength larger than the actual QUERY_INFO response, causing copy_to_user() to walk past the response buffer and expose adjacent kernel heap to userspace. Guard the QUERY_INFO copy with a bounds check on the actual Buffer payload. Use struct_size(qi_rsp, Buffer, qi.input_buffer_length) rather than an open-coded addition so the guard cannot overflow on 32-bit builds.

CVSS Details

Base Score
8.1
Exploitability
2.8
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
22.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 4

VendorProductVersionRange
linuxlinux_kernel*≥5.1  –  <6.6.136
linuxlinux_kernel*≥6.7  –  <6.12.84
linuxlinux_kernel*≥6.13  –  <6.18.25
linuxlinux_kernel*≥6.19  –  <7.0.2

References 8

  • git.kernel.org https://git.kernel.org/stable/c/078fae8f50adebb903ccf2252b44391324571e78
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1dd757379997b71a328a4b591ffaf481acd0ead1
  • git.kernel.org https://git.kernel.org/stable/c/85fd46ee26a11841c670449508025965f61ce131
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9e203dbb5402897c43130fb171a2617008a91f45
  • git.kernel.org https://git.kernel.org/stable/c/a34d456934fe42e4da5d2cc07787bf418bee99c6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a58c5af19ff0d6f44f6e9fe31e33a2c92223f77e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ac2f14e4705d020f04e806efa0d49ab8dc2b145f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e66bdc0704977ecee667a81d38255b579c2353d0

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/078fae8f50adebb903ccf2252b44391324571e78
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/85fd46ee26a11841c670449508025965f61ce131
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a34d456934fe42e4da5d2cc07787bf418bee99c6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a58c5af19ff0d6f44f6e9fe31e33a2c92223f77e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ac2f14e4705d020f04e806efa0d49ab8dc2b145f
    Patch