Skip to content
CVSS 7.1 · HIGH

CVE-2026-31614

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix off-by-8 bounds check in check_wsl_eas() The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but ea_data sits at offset sizeof(struct smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp() later reads ea->ea_data[0..nlen-1] and the value bytes follow at ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1 + vlen. Isn't pointer math fun? The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the 8-byte header is in bounds, but since the last EA is placed within 8 bytes of the end of the response, the name and value bytes are read past the end of iov. Fix this mess all up by using ea->ea_data as the base for the bounds check. An "untrusted" server can use this to leak up to 8 bytes of kernel heap into the EA name comparison and influence which WSL xattr the data is interpreted as.

Ver en NVD

Análisis

The Linux kernel SMB client has a bounds-check error that can lead to an out-of-bounds read when processing extended attributes. Systems that mount remote SMB shares could be vulnerable to kernel crashes or information disclosure if connected to a malicious or compromised server. Updating to a patched kernel version is recommended for all Linux users.

Severidad

Puntaje: 7.1(HIGH)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
AV: LOCAL
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: HIGH
I: NONE
A: HIGH
Tipo de falla (CWE): CWE-125

EPSS

Probabilidad de explotación (próx. 30 días): 0.0001 (0.0%)
Percentil: 2.4%
EPSS: 2026-05-06

Afecta

linux:linux_kernel

Descripción técnica

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix off-by-8 bounds check in check_wsl_eas() The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but ea_data sits at offset sizeof(struct smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp() later reads ea->ea_data[0..nlen-1] and the value bytes follow at ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1 + vlen. Isn't pointer math fun? The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the 8-byte header is in bounds, but since the last EA is placed within 8 bytes of the end of the response, the name and value bytes are read past the end of iov. Fix this mess all up by using ea->ea_data as the base for the bounds check. An "untrusted" server can use this to leak up to 8 bytes of kernel heap into the EA name comparison and influence which WSL xattr the data is interpreted as.

Publicada: 24/4/2026, 15:16:40
Última modificación: 29/4/2026, 18:03:40

Referencias

InicioEventosBlogRecursosEquipo