CVE-2026-31706

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An issue exists in the ksmbd module where the smb inherit dacl() function trusts the num aces value from a parent directory's DACL xattr to determine the size of a heap allocation. An authenticated client can tamper with the security.NTACL of a parent directory to provide a large num aces value (e.g., 65535) with minimal actual ACE data. This can lead to an uninitialized ~8 MB allocation and may cause a size t multiplication overflow on 32-bit kernels. Additionally, the ACE walk loop fails to properly reject ACEs whose declared size is below the minimum valid on-wire ACE size. The issue was triggered during an SMB2 CREATE operation via the smb2 open() function.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.