{ "public_date" : "2026-05-01T00:00:00Z", "bugzilla" : { "description" : "kernel: ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment", "id" : "2464434", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2464434" }, "cwe" : "CWE-787", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment\nsmb2_get_ea() applies 4-byte alignment padding via memset() after\nwriting each EA entry. The bounds check on buf_free_len is performed\nbefore the value memcpy, but the alignment memset fires unconditionally\nafterward with no check on remaining space.\nWhen the EA value exactly fills the remaining buffer (buf_free_len == 0\nafter value subtraction), the alignment memset writes 1-3 NUL bytes\npast the buf_free_len boundary. In compound requests where the response\nbuffer is shared across commands, the first command (e.g., READ) can\nconsume most of the buffer, leaving a tight remainder for the QUERY_INFO\nEA response. The alignment memset then overwrites past the physical\nkvmalloc allocation into adjacent kernel heap memory.\nAdd a bounds check before the alignment memset to ensure buf_free_len\ncan accommodate the padding bytes.\nThis is the same bug pattern fixed by commit beef2634f81f (\"ksmbd: fix\npotencial OOB in get_file_all_info() for compound requests\") and\ncommit fda9522ed6af (\"ksmbd: fix OOB write in QUERY_INFO for compound\nrequests\"), both of which added bounds checks before unconditional\nwrites in QUERY_INFO response handlers.", "A flaw was found in the ksmbd component of the Linux kernel. This out-of-bounds write vulnerability occurs when processing Server Message Block (SMB) extended attribute (EA) information. Specifically, the `smb2_get_ea()` function performs an unconditional memory write for alignment padding without checking for sufficient buffer space. This can lead to overwriting adjacent kernel heap memory, potentially allowing a remote attacker to cause a denial of service or execute arbitrary code." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31705\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31705\nhttps://lore.kernel.org/linux-cve-announce/2026050121-CVE-2026-31705-5bdc@gregkh/T" ], "name" : "CVE-2026-31705", "csaw" : false }