CVE-2026-31432

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix OOB write in QUERY INFO for compound requests

When a compound request such as READ + QUERY INFO(Security) is received, and the first command (READ) consumes most of the response buffer, ksmbd could write beyond the allocated buffer while building a security descriptor.

The root cause was that smb2 get info sec() checked buffer space using ppntsd size from xattr, while build sec desc() often synthesized a significantly larger descriptor from POSIX ACLs.

This patch introduces smb acl sec desc scratch len() to accurately compute the final descriptor size beforehand, performs proper buffer checking with smb2 calc max out buf len(), and uses exact-sized allocation + iov pinning.