CVE-2026-31708

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An out-of-bounds read exists in the smb2 ioctl query info() function within the QUERY INFO path. The function clamps qi.input buffer length to the server-reported OutputBufferLength and copies that amount of data from qi rsp->Buffer to userspace without verifying if the flexible-array payload fits within rsp iov[1].iov len. A malicious server can provide an OutputBufferLength larger than the actual response, causing copy to user() to read past the response buffer and expose adjacent kernel heap memory to userspace.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.