CVE-2026-31709

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An issue exists in the SMB client where the system fails to fully validate the Discretionary Access Control List (DACL) before rewriting it in cifsacl. The functions build sec desc() and id mode to cifs acl() derive a DACL pointer from a server-supplied dacloffset to rebuild security descriptors for chmod/chown operations. While header fields are checked, the system does not perform structural validation of the DACL body. A malicious server can provide a truncated DACL that claims to contain one or more Access Control Entries (ACEs), causing replace sids and copy aces() or set chmod dacl() to read past the validated memory extent while processing attacker-controlled ACEs.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.