{ "threat_severity" : "Moderate", "public_date" : "2026-05-01T00:00:00Z", "bugzilla" : { "description" : "kernel: ksmbd: validate response sizes in ipc_validate_msg()", "id" : "2464366", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2464366" }, "cwe" : "CWE-131", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nksmbd: validate response sizes in ipc_validate_msg()\nipc_validate_msg() computes the expected message size for each\nresponse type by adding (or multiplying) attacker-controlled fields\nfrom the daemon response to a fixed struct size in unsigned int\narithmetic. Three cases can overflow:\nKSMBD_EVENT_RPC_REQUEST:\nmsg_sz = sizeof(struct ksmbd_rpc_command) + resp->payload_sz;\nKSMBD_EVENT_SHARE_CONFIG_REQUEST:\nmsg_sz = sizeof(struct ksmbd_share_config_response) +\nresp->payload_sz;\nKSMBD_EVENT_LOGIN_REQUEST_EXT:\nmsg_sz = sizeof(struct ksmbd_login_response_ext) +\nresp->ngroups * sizeof(gid_t);\nresp->payload_sz is __u32 and resp->ngroups is __s32. Each addition\ncan wrap in unsigned int; the multiplication by sizeof(gid_t) mixes\nsigned and size_t, so a negative ngroups is converted to SIZE_MAX\nbefore the multiply. A wrapped value of msg_sz that happens to\nequal entry->msg_sz bypasses the size check on the next line, and\ndownstream consumers (smb2pdu.c:6742 memcpy using rpc_resp->payload_sz,\nkmemdup in ksmbd_alloc_user using resp_ext->ngroups) then trust the\nunverified length.\nUse check_add_overflow() on the RPC_REQUEST and SHARE_CONFIG_REQUEST\npaths to detect integer overflow without constraining functional\npayload size; userspace ksmbd-tools grows NDR responses in 4096-byte\nchunks for calls like NetShareEnumAll, so a hard transport cap is\nunworkable on the response side. For LOGIN_REQUEST_EXT, reject\nresp->ngroups outside the signed [0, NGROUPS_MAX] range up front and\nreport the error from ipc_validate_msg() so it fires at the IPC\nboundary; with that bound the subsequent multiplication and addition\nstay well below UINT_MAX. The now-redundant ngroups check and\npr_err in ksmbd_alloc_user() are removed.\nThis is the response-side analogue of aab98e2dbd64 (\"ksmbd: fix\ninteger overflows on 32 bit systems\"), which hardened the request\nside.", "A flaw was found in the Linux kernel's ksmbd component. A remote attacker could exploit an integer overflow vulnerability when the system processes specially crafted daemon responses. This manipulation of data sizes can bypass internal security checks, leading to memory corruption. Such an issue could potentially allow an attacker to gain unauthorized access or cause system instability." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31707\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31707\nhttps://lore.kernel.org/linux-cve-announce/2026050121-CVE-2026-31707-84d2@gregkh/T" ], "name" : "CVE-2026-31707", "csaw" : false }