Vulnerability-Lookup

WID-SEC-W-2026-1232

Vulnerability from csaf_certbund - Published: 2026-04-21 22:00 - Updated: 2026-05-03 22:00

Summary

Linux Kernel: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Der Kernel stellt den Kern des Linux Betriebssystems dar.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um seine Privilegien zu erhöhen, um einen Denial of Service Zustand oder andere, nicht näher spezifizierte Auswirkungen zu erzielen.

Betroffene Betriebssysteme: - Linux

CVE-2026-31432

CVE-2026-31433

CVE-2026-31431

References

URL

CVE-2026-31432 (GCVE-0-2026-31432)

Vulnerability from cvelistv5 – Published: 2026-04-22 08:15 – Updated: 2026-04-27 14:03

Title

ksmbd: fix OOB write in QUERY_INFO for compound requests

Summary

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix OOB write in QUERY_INFO for compound requests When a compound request such as READ + QUERY_INFO(Security) is received, and the first command (READ) consumes most of the response buffer, ksmbd could write beyond the allocated buffer while building a security descriptor. The root cause was that smb2_get_info_sec() checked buffer space using ppntsd_size from xattr, while build_sec_desc() often synthesized a significantly larger descriptor from POSIX ACLs. This patch introduces smb_acl_sec_desc_scratch_len() to accurately compute the final descriptor size beforehand, performs proper buffer checking with smb2_calc_max_out_buf_len(), and uses exact-sized allocation + iov pinning.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d48c64fb80ad78b3d…
	https://git.kernel.org/stable/c/075ea208c648cc2bc…
	https://git.kernel.org/stable/c/515c2daab46021221…
	https://git.kernel.org/stable/c/fda9522ed6afaec45…

Impacted products

Vendor

Product

Version

Linux

Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09 (git)
Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 075ea208c648cc2bcd616295b711d3637c61de45 (git)
Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 515c2daab46021221bdf406bef19bc90a44ec617 (git)
Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < fda9522ed6afaec45cabc198d8492270c394c7bc (git)
Affected: f2283680a80571ca82d710bc6ecd8f8beac67d63 (git)
Affected: 9f297df20d93411c0b4ddad7f88ba04a7cd36e77 (git)

Linux

Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 6.12.81 , ≤ 6.12.* (semver)
Unaffected: 6.18.22 , ≤ 6.18.* (semver)
Unaffected: 6.19.12 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c",
            "fs/smb/server/smbacl.c",
            "fs/smb/server/smbacl.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09",
              "status": "affected",
              "version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
              "versionType": "git"
            },
            {
              "lessThan": "075ea208c648cc2bcd616295b711d3637c61de45",
              "status": "affected",
              "version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
              "versionType": "git"
            },
            {
              "lessThan": "515c2daab46021221bdf406bef19bc90a44ec617",
              "status": "affected",
              "version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
              "versionType": "git"
            },
            {
              "lessThan": "fda9522ed6afaec45cabc198d8492270c394c7bc",
              "status": "affected",
              "version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f2283680a80571ca82d710bc6ecd8f8beac67d63",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9f297df20d93411c0b4ddad7f88ba04a7cd36e77",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c",
            "fs/smb/server/smbacl.c",
            "fs/smb/server/smbacl.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.81",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.22",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.145",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.71",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix OOB write in QUERY_INFO for compound requests\n\nWhen a compound request such as READ + QUERY_INFO(Security) is received,\nand the first command (READ) consumes most of the response buffer,\nksmbd could write beyond the allocated buffer while building a security\ndescriptor.\n\nThe root cause was that smb2_get_info_sec() checked buffer space using\nppntsd_size from xattr, while build_sec_desc() often synthesized a\nsignificantly larger descriptor from POSIX ACLs.\n\nThis patch introduces smb_acl_sec_desc_scratch_len() to accurately\ncompute the final descriptor size beforehand, performs proper buffer\nchecking with smb2_calc_max_out_buf_len(), and uses exact-sized\nallocation + iov pinning."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-27T14:03:04.638Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09"
        },
        {
          "url": "https://git.kernel.org/stable/c/075ea208c648cc2bcd616295b711d3637c61de45"
        },
        {
          "url": "https://git.kernel.org/stable/c/515c2daab46021221bdf406bef19bc90a44ec617"
        },
        {
          "url": "https://git.kernel.org/stable/c/fda9522ed6afaec45cabc198d8492270c394c7bc"
        }
      ],
      "title": "ksmbd: fix OOB write in QUERY_INFO for compound requests",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31432",
    "datePublished": "2026-04-22T08:15:10.873Z",
    "dateReserved": "2026-03-09T15:48:24.089Z",
    "dateUpdated": "2026-04-27T14:03:04.638Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-31431 (GCVE-0-2026-31431)

Vulnerability from cvelistv5 – Published: 2026-04-22 08:15 – Updated: 2026-05-05 00:30

Title

crypto: algif_aead - Revert to operating out-of-place

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-669 - Incorrect Resource Transfer Between Spheres

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/893d22e0135fa394d…
	https://git.kernel.org/stable/c/19d43105a97be0810…
	https://git.kernel.org/stable/c/961cfa271a918ad4a…
	https://git.kernel.org/stable/c/3115af9644c342b35…
	https://git.kernel.org/stable/c/8b88d99341f139e23…
	https://git.kernel.org/stable/c/fafe0fa2995a0f707…
	https://git.kernel.org/stable/c/ce42ee423e58dffa5…
	https://git.kernel.org/stable/c/a664bf3d603dc3bdc…

Impacted products

Vendor

Product

Version

Linux

Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 893d22e0135fa394db81df88697fba6032747667 (git)
Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 19d43105a97be0810edbda875f2cd03f30dc130c (git)
Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 961cfa271a918ad4ae452420e7c303149002875b (git)
Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 3115af9644c342b356f3f07a4dd1c8905cd9a6fc (git)
Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 8b88d99341f139e23bdeb1027a2a3ae10d341d82 (git)
Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8 (git)
Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < ce42ee423e58dffa5ec03524054c9d8bfd4f6237 (git)
Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5 (git)

Linux

Affected: 4.14
Unaffected: 0 , < 4.14 (semver)
Unaffected: 5.10.254 , ≤ 5.10.* (semver)
Unaffected: 5.15.204 , ≤ 5.15.* (semver)
Unaffected: 6.1.170 , ≤ 6.1.* (semver)
Unaffected: 6.6.137 , ≤ 6.6.* (semver)
Unaffected: 6.12.85 , ≤ 6.12.* (semver)
Unaffected: 6.18.22 , ≤ 6.18.* (semver)
Unaffected: 6.19.12 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-31431",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-29T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2026-05-01",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-669",
                "description": "CWE-669 Incorrect Resource Transfer Between Spheres",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-02T03:55:23.146Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/theori-io/copy-fail-CVE-2026-31431"
          },
          {
            "tags": [
              "mitigation"
            ],
            "url": "https://xint.io/blog/copy-fail-linux-distributions#the-fix-6"
          },
          {
            "tags": [
              "mitigation"
            ],
            "url": "https://lore.kernel.org/linux-cve-announce/2026042214-CVE-2026-31431-3d65@gregkh/"
          },
          {
            "tags": [
              "mitigation"
            ],
            "url": "https://access.redhat.com/security/cve/cve-2026-31431#cve-details-mitigation"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-05-01T00:00:00.000Z",
            "value": "CVE-2026-31431 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-05T00:30:43.498Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/29/23"
          },
          {
            "url": "https://copy.fail"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/29/25"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/29/26"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/30/2"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/30/5"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/30/6"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/30/10"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/30/11"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/30/12"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/30/14"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/30/15"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/30/16"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/30/17"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/30/18"
          },
          {
            "url": "https://websec.net/blog/cve-2026-31431-linux-algifaead-page-cache-write-to-root-69f38a4ccddd2db1f520f170"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/30/20"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/01/2"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/01/3"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/01/10"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/01/12"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/01/15"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/01/16"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/01/17"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/01/18"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/01/22"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/01/23"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/01/24"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/02/4"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/02/5"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/02/6"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/02/7"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/02/8"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/02/14"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/02/15"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/02/16"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/02/17"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/02/18"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/02/19"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/02/20"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/02/21"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/02/23"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/02/24"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/02/25"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/03/3"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/03/4"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/03/10"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/03/5"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/03/6"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/03/12"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/03/13"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/04/1"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/04/2"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/04/10"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/04/11"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/04/12"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/04/13"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/04/14"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/04/8"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/04/9"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/04/24"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/04/27"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/04/28"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/04/29"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/04/31"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "crypto/af_alg.c",
            "crypto/algif_aead.c",
            "crypto/algif_skcipher.c",
            "include/crypto/if_alg.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "893d22e0135fa394db81df88697fba6032747667",
              "status": "affected",
              "version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
              "versionType": "git"
            },
            {
              "lessThan": "19d43105a97be0810edbda875f2cd03f30dc130c",
              "status": "affected",
              "version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
              "versionType": "git"
            },
            {
              "lessThan": "961cfa271a918ad4ae452420e7c303149002875b",
              "status": "affected",
              "version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
              "versionType": "git"
            },
            {
              "lessThan": "3115af9644c342b356f3f07a4dd1c8905cd9a6fc",
              "status": "affected",
              "version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
              "versionType": "git"
            },
            {
              "lessThan": "8b88d99341f139e23bdeb1027a2a3ae10d341d82",
              "status": "affected",
              "version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
              "versionType": "git"
            },
            {
              "lessThan": "fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8",
              "status": "affected",
              "version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
              "versionType": "git"
            },
            {
              "lessThan": "ce42ee423e58dffa5ec03524054c9d8bfd4f6237",
              "status": "affected",
              "version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
              "versionType": "git"
            },
            {
              "lessThan": "a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5",
              "status": "affected",
              "version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "crypto/af_alg.c",
            "crypto/algif_aead.c",
            "crypto/algif_skcipher.c",
            "include/crypto/if_alg.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.14"
            },
            {
              "lessThan": "4.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.254",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.204",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.170",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.137",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.254",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.204",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.170",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.137",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.85",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.22",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_aead - Revert to operating out-of-place\n\nThis mostly reverts commit 72548b093ee3 except for the copying of\nthe associated data.\n\nThere is no benefit in operating in-place in algif_aead since the\nsource and destination come from different mappings.  Get rid of\nall the complexity added for in-place operation and just copy the\nAD directly."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-30T09:32:06.731Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/893d22e0135fa394db81df88697fba6032747667"
        },
        {
          "url": "https://git.kernel.org/stable/c/19d43105a97be0810edbda875f2cd03f30dc130c"
        },
        {
          "url": "https://git.kernel.org/stable/c/961cfa271a918ad4ae452420e7c303149002875b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3115af9644c342b356f3f07a4dd1c8905cd9a6fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b88d99341f139e23bdeb1027a2a3ae10d341d82"
        },
        {
          "url": "https://git.kernel.org/stable/c/fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce42ee423e58dffa5ec03524054c9d8bfd4f6237"
        },
        {
          "url": "https://git.kernel.org/stable/c/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5"
        }
      ],
      "title": "crypto: algif_aead - Revert to operating out-of-place",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31431",
    "datePublished": "2026-04-22T08:15:10.123Z",
    "dateReserved": "2026-03-09T15:48:24.089Z",
    "dateUpdated": "2026-05-05T00:30:43.498Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-31433 (GCVE-0-2026-31433)

Vulnerability from cvelistv5 – Published: 2026-04-22 08:15 – Updated: 2026-04-27 14:03

Title

ksmbd: fix potencial OOB in get_file_all_info() for compound requests

Summary

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potencial OOB in get_file_all_info() for compound requests When a compound request consists of QUERY_DIRECTORY + QUERY_INFO (FILE_ALL_INFORMATION) and the first command consumes nearly the entire max_trans_size, get_file_all_info() would blindly call smbConvertToUTF16() with PATH_MAX, causing out-of-bounds write beyond the response buffer. In get_file_all_info(), there was a missing validation check for the client-provided OutputBufferLength before copying the filename into FileName field of the smb2_file_all_info structure. If the filename length exceeds the available buffer space, it could lead to potential buffer overflows or memory corruption during smbConvertToUTF16 conversion. This calculating the actual free buffer size using smb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is insufficient and updating smbConvertToUTF16 to use the actual filename length (clamped by PATH_MAX) to ensure a safe copy operation.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3a852f9d1c981fb14…
	https://git.kernel.org/stable/c/4cca3eff2099b1867…
	https://git.kernel.org/stable/c/358cdaa1f7fbf2712…
	https://git.kernel.org/stable/c/7aec5a769d2356cbf…
	https://git.kernel.org/stable/c/b0cd9725fe2bcc9f3…
	https://git.kernel.org/stable/c/9d7032851d6f5adbe…
	https://git.kernel.org/stable/c/beef2634f81f1c086…

Impacted products

Vendor

Product

Version

Linux

Affected: f2283680a80571ca82d710bc6ecd8f8beac67d63 , < 3a852f9d1c981fb14f6bf4e24999e0ea8088a7d7 (git)
Affected: 9f297df20d93411c0b4ddad7f88ba04a7cd36e77 , < 4cca3eff2099b18672934a39cee70aed835d652c (git)
Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 358cdaa1f7fbf2712cb4c5f6b59cb9a5c673c5fe (git)
Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 7aec5a769d2356cbf344d85bcfd36de592ac96a5 (git)
Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < b0cd9725fe2bcc9f37d096b132318a9060373f5d (git)
Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 9d7032851d6f5adbe2739601ca456c0ad3b422f0 (git)
Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < beef2634f81f1c086208191f7228bce1d366493d (git)

Linux

Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 5.15.203 , ≤ 5.15.* (semver)
Unaffected: 6.1.168 , ≤ 6.1.* (semver)
Unaffected: 6.6.131 , ≤ 6.6.* (semver)
Unaffected: 6.12.80 , ≤ 6.12.* (semver)
Unaffected: 6.18.21 , ≤ 6.18.* (semver)
Unaffected: 6.19.11 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3a852f9d1c981fb14f6bf4e24999e0ea8088a7d7",
              "status": "affected",
              "version": "f2283680a80571ca82d710bc6ecd8f8beac67d63",
              "versionType": "git"
            },
            {
              "lessThan": "4cca3eff2099b18672934a39cee70aed835d652c",
              "status": "affected",
              "version": "9f297df20d93411c0b4ddad7f88ba04a7cd36e77",
              "versionType": "git"
            },
            {
              "lessThan": "358cdaa1f7fbf2712cb4c5f6b59cb9a5c673c5fe",
              "status": "affected",
              "version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
              "versionType": "git"
            },
            {
              "lessThan": "7aec5a769d2356cbf344d85bcfd36de592ac96a5",
              "status": "affected",
              "version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
              "versionType": "git"
            },
            {
              "lessThan": "b0cd9725fe2bcc9f37d096b132318a9060373f5d",
              "status": "affected",
              "version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
              "versionType": "git"
            },
            {
              "lessThan": "9d7032851d6f5adbe2739601ca456c0ad3b422f0",
              "status": "affected",
              "version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
              "versionType": "git"
            },
            {
              "lessThan": "beef2634f81f1c086208191f7228bce1d366493d",
              "status": "affected",
              "version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "5.15.145",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.168",
                  "versionStartIncluding": "6.1.71",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.131",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.80",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.21",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.11",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix potencial OOB in get_file_all_info() for compound requests\n\nWhen a compound request consists of QUERY_DIRECTORY + QUERY_INFO\n(FILE_ALL_INFORMATION) and the first command consumes nearly the entire\nmax_trans_size, get_file_all_info() would blindly call smbConvertToUTF16()\nwith PATH_MAX, causing out-of-bounds write beyond the response buffer.\nIn get_file_all_info(), there was a missing validation check for\nthe client-provided OutputBufferLength before copying the filename into\nFileName field of the smb2_file_all_info structure.\nIf the filename length exceeds the available buffer space, it could lead to\npotential buffer overflows or memory corruption during smbConvertToUTF16\nconversion. This calculating the actual free buffer size using\nsmb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is\ninsufficient and updating smbConvertToUTF16 to use the actual filename\nlength (clamped by PATH_MAX) to ensure a safe copy operation."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-27T14:03:05.745Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3a852f9d1c981fb14f6bf4e24999e0ea8088a7d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/4cca3eff2099b18672934a39cee70aed835d652c"
        },
        {
          "url": "https://git.kernel.org/stable/c/358cdaa1f7fbf2712cb4c5f6b59cb9a5c673c5fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/7aec5a769d2356cbf344d85bcfd36de592ac96a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/b0cd9725fe2bcc9f37d096b132318a9060373f5d"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d7032851d6f5adbe2739601ca456c0ad3b422f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/beef2634f81f1c086208191f7228bce1d366493d"
        }
      ],
      "title": "ksmbd: fix potencial OOB in get_file_all_info() for compound requests",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31433",
    "datePublished": "2026-04-22T08:15:11.719Z",
    "dateReserved": "2026-03-09T15:48:24.089Z",
    "dateUpdated": "2026-04-27T14:03:05.745Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1232

CVE-2026-31432 (GCVE-0-2026-31432)

CVE-2026-31431 (GCVE-0-2026-31431)

CVE-2026-31433 (GCVE-0-2026-31433)

Tags

Sightings

Nomenclature