{
  "public_date" : "2026-05-01T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()",
    "id" : "2464413",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2464413"
  },
  "cwe" : "CWE-1284",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()\nsmb_inherit_dacl() trusts the on-disk num_aces value from the parent\ndirectory's DACL xattr and uses it to size a heap allocation:\naces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2, ...);\nnum_aces is a u16 read from le16_to_cpu(parent_pdacl->num_aces)\nwithout checking that it is consistent with the declared pdacl_size.\nAn authenticated client whose parent directory's security.NTACL is\ntampered (e.g. via offline xattr corruption or a concurrent path that\nbypasses parse_dacl()) can present num_aces = 65535 with minimal\nactual ACE data.  This causes a ~8 MB allocation (not kzalloc, so\nuninitialized) that the subsequent loop only partially populates, and\nmay also overflow the three-way size_t multiply on 32-bit kernels.\nAdditionally, the ACE walk loop uses the weaker\noffsetof(struct smb_ace, access_req) minimum size check rather than\nthe minimum valid on-wire ACE size, and does not reject ACEs whose\ndeclared size is below the minimum.\nReproduced on UML + KASAN + LOCKDEP against the real ksmbd code path.\nA legitimate mount.cifs client creates a parent directory over SMB\n(ksmbd writes a valid security.NTACL xattr), then the NTACL blob on\nthe backing filesystem is rewritten to set num_aces = 0xFFFF while\nkeeping the posix_acl_hash bytes intact so ksmbd_vfs_get_sd_xattr()'s\nhash check still passes.  A subsequent SMB2 CREATE of a child under\nthat parent drives smb2_open() into smb_inherit_dacl() (share has\n\"vfs objects = acl_xattr\" set), which fails the page allocator:\nWARNING: mm/page_alloc.c:5226 at __alloc_frozen_pages_noprof+0x46c/0x9c0\nWorkqueue: ksmbd-io handle_ksmbd_work\n__alloc_frozen_pages_noprof+0x46c/0x9c0\n___kmalloc_large_node+0x68/0x130\n__kmalloc_large_node_noprof+0x24/0x70\n__kmalloc_noprof+0x4c9/0x690\nsmb_inherit_dacl+0x394/0x2430\nsmb2_open+0x595d/0xabe0\nhandle_ksmbd_work+0x3d3/0x1140\nWith the patch applied the added guard rejects the tampered value\nwith -EINVAL before any large allocation runs, smb2_open() falls back\nto smb2_create_sd_buffer(), and the child is created with a default\nSD.  No warning, no splat.\nFix by:\n1. Validating num_aces against pdacl_size using the same formula\napplied in parse_dacl().\n2. Replacing the raw kmalloc(sizeof * num_aces * 2) with\nkmalloc_array(num_aces * 2, sizeof(...)) for overflow-safe\nallocation.\n3. Tightening the per-ACE loop guard to require the minimum valid\nACE size (offsetof(smb_ace, sid) + CIFS_SID_BASE_SIZE) and\nrejecting under-sized ACEs, matching the hardening in\nsmb_check_perm_dacl() and parse_dacl().\nv1 -> v2:\n- Replace the synthetic test-module splat in the changelog with a\nreal-path UML + KASAN reproduction driven through mount.cifs and\nSMB2 CREATE; Namjae flagged the kcifs3_test_inherit_dacl_old name\nin v1 since it does not exist in ksmbd.\n- Drop the commit-hash citation from the code comment per Namjae's\nreview; keep the parse_dacl() pointer.", "A flaw was found in ksmbd, a Linux kernel module that provides an in-kernel SMB server. An authenticated client can exploit this vulnerability by manipulating the `num_aces` value within the parent directory's security.NTACL extended attribute. This manipulation causes ksmbd to attempt an excessively large heap allocation, which can lead to a Denial of Service (DoS) by exhausting available memory resources." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31706\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31706\nhttps://lore.kernel.org/linux-cve-announce/2026050121-CVE-2026-31706-e8b1@gregkh/T" ],
  "name" : "CVE-2026-31706",
  "csaw" : false
}