PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31707 Linux CVE debrief

Integer overflow vulnerabilities in ksmbd's IPC message validation allow local attackers to bypass size checks and trigger out-of-bounds memory operations. The ksmbd kernel module computes expected message sizes using attacker-controlled fields from daemon responses without proper overflow detection. Three code paths are affected: RPC request handling adds payload_sz to struct size; share config request handling adds payload_sz to struct size; and extended login request handling multiplies ngroups by sizeof(gid_t) and adds to struct size. Unsigned integer wraparound in the first two cases, and signed-to-unsigned conversion of negative ngroups values in the third case, can produce wrapped msg_sz values that match the entry->msg_sz check and pass validation. Downstream consumers then trust these unverified lengths in memcpy and kmemdup operations. The fix uses check_add_overflow() for the RPC and share config paths, and validates ngroups is within [0, NGROUPS_MAX] before multiplication for the login path. This is the response-side counterpart to a prior request-side hardening patch. Affected kernel versions span 5.15 through 6.12.83, 6.13 through 6.18.24, and 6.19 through 7.0.1.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-01
Original CVE updated
2026-05-06
Advisory published
2026-05-01
Advisory updated
2026-05-06

Who should care

Linux system administrators running ksmbd (kernel SMB server) on affected kernel versions; security teams monitoring for local privilege escalation vectors in SMB infrastructure; kernel maintainers backporting stable patches.

Technical summary

The ksmbd kernel module's ipc_validate_msg() function computes expected message sizes using attacker-controlled fields from daemon responses without adequate overflow protection. For KSMBD_EVENT_RPC_REQUEST and KSMBD_EVENT_SHARE_CONFIG_REQUEST, resp->payload_sz (__u32) is added to fixed struct sizes using unsigned int arithmetic that can wrap. For KSMBD_EVENT_LOGIN_REQUEST_EXT, resp->ngroups (__s32) is multiplied by sizeof(gid_t) and added to struct size; negative ngroups values convert to SIZE_MAX before multiplication. Wrapped msg_sz values that coincidentally match entry->msg_sz bypass validation, causing downstream memcpy and kmemdup operations to use attacker-controlled lengths. The remediation applies check_add_overflow() for payload size additions, validates ngroups is non-negative and bounded by NGROUPS_MAX, and removes redundant checks from ksmbd_alloc_user().

Defensive priority

high

Recommended defensive actions

  • Apply stable kernel patches for affected versions: 5.15.x through 6.12.83, 6.13.x through 6.18.24, and 6.19.x through 7.0.1
  • Verify ksmbd module is updated to include check_add_overflow() validation in ipc_validate_msg()
  • Confirm ngroups validation enforces [0, NGROUPS_MAX] range before size calculations
  • Review systems with ksmbd enabled for unauthorized access or anomalous SMB activity
  • Monitor for kernel crashes or memory corruption indicators in ksmbd-related logs

Evidence notes

Vulnerability description and patch references sourced from NVD record. CPE criteria confirm affected kernel version ranges. CVSS 7.1 HIGH severity assigned by NVD. CWE-787 (Out-of-bounds Write) identified as primary weakness. Four stable kernel patches provided via git.kernel.org.

Official resources

2026-05-01