PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31712 Linux CVE debrief

CVE-2026-31712 is a Linux kernel ksmbd issue where permission checking of stored DACL entries accepted ACEs that were too small for the fields later read. An authenticated SMB client with the ability to set an ACL on a file could trigger the bug on a later CREATE against that file, leading to an out-of-bounds read and possible KASAN reports or kernel state corruption.

Vendor
Linux
Product
Unknown
CVSS
HIGH 8.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-01
Original CVE updated
2026-05-17
Advisory published
2026-05-01
Advisory updated
2026-05-17

Who should care

Linux kernel and distro security teams, SMB/ksmbd operators, and administrators who allow authenticated users to set ACLs on shared files.

Technical summary

The flaw is in smb_check_perm_dacl(). Both ACE-walk loops checked only that the remaining buffer was large enough for the ACE header and then trusted ace->size, which allowed a crafted ACE with ace->size == 4 to pass validation even though later code reads access_req at offset 4 and sid at offset 8. The fix requires a minimum ACE size of offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE and rejects ACEs whose sid.num_subauth exceeds SID_MAX_SUB_AUTHORITIES before compare_sids() dereferences sub_auth[]. The issue is an out-of-bounds read (CWE-787), not pre-auth, and is reachable only after an authenticated client stores a crafted DACL and later triggers permission evaluation.

Defensive priority

High

Recommended defensive actions

  • Apply the upstream or stable Linux kernel fixes linked in the official references and backport them to supported kernels.
  • Confirm ksmbd-enabled systems are not running vulnerable kernel ranges: 5.15 before 6.12.84, 6.13 before 6.18.25, or 6.19 before 7.0.2.
  • Validate that your kernel includes the ACE minimum-size check and the sid.num_subauth bounds check in smb_check_perm_dacl().
  • Restrict which authenticated SMB users can set ACLs on files and review share permissions for unnecessary ACL delegation.
  • Monitor affected systems for ksmbd-related kernel warnings, KASAN reports, or crashes during CREATE operations against files with stored DACLs.

Evidence notes

The CVE description states that smb_check_perm_dacl() only checked the remaining buffer and not the minimum ACE layout, allowing ace->size == 4 to pass and then read access_req and sid out of bounds. It also states that compare_sids() could dereference sub_auth[] without first bounding sid.num_subauth, and that parse_sec_desc() already enforced an equivalent check. Reachability is described as an authenticated SMB client with permission to set an ACL, followed by a later CREATE against the same file. The record classifies the weakness as CWE-787 and provides the CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H.

Official resources

CVE-2026-31712 was published on 2026-05-01 and modified on 2026-05-17. This debrief is based on the CVE record, the NVD entry, and the linked official Linux stable kernel references.