CVE-2026-31707

CVSS v3.1

7.1

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An integer overflow exists in the ipc validate msg() function within the ksmbd module. The function calculates the expected message size for response types by performing unsigned integer arithmetic on attacker-controlled fields from the daemon response. Specifically, overflows can occur in the following cases:

KSMBD EVENT RPC REQUEST where msg sz is calculated using resp->payload sz.
KSMBD EVENT SHARE CONFIG REQUEST where msg sz is calculated using resp->payload sz.
KSMBD EVENT LOGIN REQUEST EXT where msg sz is calculated using resp->ngroups.

If the calculated msg sz wraps around and matches the expected size, it bypasses size checks. This allows downstream consumers to trust unverified lengths during memory operations, such as memcpy in smb2pdu.c or kmemdup in ksmbd alloc user().

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787

Related Identifiers

CVE-2026-31707

ECHO-3008-061F-F070

OPENSUSE-SU-2026:10793-1

Affected Products

Linux Kernel

CVE-2026-31707

Weakness Enumeration

Related Identifiers

Affected Products

References · 49