CVE-2026-31613

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An issue exists in the SMB client when parsing symlink error responses. When a CREATE request returns STATUS STOPPED ON SYMLINK, the smb2 check message() function returns success without length validation. The symlink data() function may read past the end of the buffer when processing SMB 3.1.1 error contexts if the server-controlled ErrorDataLength advances the pointer too close to the end. Additionally, smb2 parse symlink response() uses a fixed offset for the substitute name check, which is only accurate when ErrorContextCount is zero. If error contexts are present, the substitute name read can exceed the buffer length, causing out-of-bound heap bytes to be UTF-16-decoded and returned to userspace via readlink(2).

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.