CVE-2026-31709

HIGH EPSS 22.4%
Published May 1, 20261mo ago · Modified Jun 19, 20261w ago
8.8 CVSS 3.1
High
Find Similar
Published May 1, 2026 1mo ago
Last Modified Jun 19, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL before rewriting it in cifsacl build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild the chmod/chown security descriptor. The original fix only checked that the struct smb_acl header fits before reading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate header-field OOB read, but the rewrite helpers still walk ACEs based on pdacl->num_aces with no structural validation of the incoming DACL body. A malicious server can return a truncated DACL that still contains a header, claims one or more ACEs, and then drive replace_sids_and_copy_aces() or set_chmod_dacl() past the validated extent while they compare or copy attacker-controlled ACEs. Factor the DACL structural checks into validate_dacl(), extend them to validate each ACE against the DACL bounds, and use the shared validator before the chmod/chown rebuild paths. parse_dacl() reuses the same validator so the read-side parser and write-side rewrite paths agree on what constitutes a well-formed incoming DACL.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
22.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 1

VendorProductVersionRange
linuxlinux_kernel*≥5.12  –  <7.0.2

References 7

  • git.kernel.org https://git.kernel.org/stable/c/0a8cf165566ba55a39fd0f4de172119dd646d39a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8e47d297e7cf9a6029a0d38e7b22faba7d7aaf12
  • git.kernel.org https://git.kernel.org/stable/c/b78db9bddc84136f6a0bb49e8883cf200dfb87a8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b8603d9ae6c9087662b098619996bc4a8064319d
  • git.kernel.org https://git.kernel.org/stable/c/c2abdebf72000a64603ced84d36ccbd164f11391
  • git.kernel.org https://git.kernel.org/stable/c/d92f3f0b22414e7515696a02224d0af55e3004a3
  • git.kernel.org https://git.kernel.org/stable/c/ff0ca46b13b9ef6edbcd238a3b6caacfef8ba0e5

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0a8cf165566ba55a39fd0f4de172119dd646d39a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b78db9bddc84136f6a0bb49e8883cf200dfb87a8
    Patch