Copyright © 2012 Red Hat, Inc. All rights reserved. 2026-05-01T00:00:00 kernel: ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment CWE-787

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment smb2_get_ea() applies 4-byte alignment padding via memset() after writing each EA entry. The bounds check on buf_free_len is performed before the value memcpy, but the alignment memset fires unconditionally afterward with no check on remaining space. When the EA value exactly fills the remaining buffer (buf_free_len == 0 after value subtraction), the alignment memset writes 1-3 NUL bytes past the buf_free_len boundary. In compound requests where the response buffer is shared across commands, the first command (e.g., READ) can consume most of the buffer, leaving a tight remainder for the QUERY_INFO EA response. The alignment memset then overwrites past the physical kvmalloc allocation into adjacent kernel heap memory. Add a bounds check before the alignment memset to ensure buf_free_len can accommodate the padding bytes. This is the same bug pattern fixed by commit beef2634f81f ("ksmbd: fix potencial OOB in get_file_all_info() for compound requests") and commit fda9522ed6af ("ksmbd: fix OOB write in QUERY_INFO for compound requests"), both of which added bounds checks before unconditional writes in QUERY_INFO response handlers.

A flaw was found in the ksmbd component of the Linux kernel. This out-of-bounds write vulnerability occurs when processing Server Message Block (SMB) extended attribute (EA) information. Specifically, the `smb2_get_ea()` function performs an unconditional memory write for alignment padding without checking for sufficient buffer space. This can lead to overwriting adjacent kernel heap memory, potentially allowing a remote attacker to cause a denial of service or execute arbitrary code.

Red Hat Enterprise Linux 10 Not affected kernel Red Hat Enterprise Linux 6 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel-rt Red Hat Enterprise Linux 8 Not affected kernel Red Hat Enterprise Linux 8 Not affected kernel-rt Red Hat Enterprise Linux 9 Not affected kernel Red Hat Enterprise Linux 9 Not affected kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-31705 https://nvd.nist.gov/vuln/detail/CVE-2026-31705 https://lore.kernel.org/linux-cve-announce/2026050121-CVE-2026-31705-5bdc@gregkh/T