CVE-2026-31705

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An out-of-bounds write exists in the smb2 get ea() function within the ksmbd module. The function applies 4-byte alignment padding using memset() after writing each Extended Attribute (EA) entry. While a bounds check on buf free len is performed before the value memcpy, the alignment memset occurs unconditionally without verifying the remaining space. If the EA value exactly fills the remaining buffer, the alignment process writes 1-3 NUL bytes beyond the buf free len boundary. In compound requests where a response buffer is shared across commands, this can lead to overwriting adjacent kernel heap memory beyond the physical kvmalloc allocation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.