{ "public_date" : "2026-05-01T00:00:00Z", "bugzilla" : { "description" : "kernel: ksmbd: require minimum ACE size in smb_check_perm_dacl()", "id" : "2464447", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2464447" }, "cwe" : "CWE-1284", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nksmbd: require minimum ACE size in smb_check_perm_dacl()\nBoth ACE-walk loops in smb_check_perm_dacl() only guard against an\nunder-sized remaining buffer, not against an ACE whose declared\n`ace->size` is smaller than the struct it claims to describe:\nif (offsetof(struct smb_ace, access_req) > aces_size)\nbreak;\nace_size = le16_to_cpu(ace->size);\nif (ace_size > aces_size)\nbreak;\nThe first check only requires the 4-byte ACE header to be in bounds;\nit does not require access_req (4 bytes at offset 4) to be readable.\nAn attacker who has set a crafted DACL on a file they own can declare\nace->size == 4 with aces_size == 4, pass both checks, and then\ngranted |= le32_to_cpu(ace->access_req); /* upper loop */\ncompare_sids(&sid, &ace->sid); /* lower loop */\nreads access_req at offset 4 (OOB by up to 4 bytes) and ace->sid at\noffset 8 (OOB by up to CIFS_SID_BASE_SIZE + SID_MAX_SUB_AUTHORITIES\n* 4 bytes).\nTighten both loops to require\nace_size >= offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE\nwhich is the smallest valid on-wire ACE layout (4-byte header +\n4-byte access_req + 8-byte sid base with zero sub-auths). Also\nreject ACEs whose sid.num_subauth exceeds SID_MAX_SUB_AUTHORITIES\nbefore letting compare_sids() dereference sub_auth[] entries.\nparse_sec_desc() already enforces an equivalent check (lines 441-448);\nsmb_check_perm_dacl() simply grew weaker validation over time.\nReachability: authenticated SMB client with permission to set an ACL\non a file. On a subsequent CREATE against that file, the kernel\nwalks the stored DACL via smb_check_perm_dacl() and triggers the\nOOB read. Not pre-auth, and the OOB read is not reflected to the\nattacker, but KASAN reports and kernel state corruption are\npossible.", "A flaw was found in the ksmbd component of the Linux kernel. An authenticated Server Message Block (SMB) client with permissions to set an Access Control List (ACL) on a file can craft a malicious Discretionary Access Control List (DACL). This crafted DACL, containing an undersized Access Control Entry (ACE), can lead to an out-of-bounds read when the kernel processes it during a subsequent file creation operation. This vulnerability could result in kernel state corruption." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31712\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31712\nhttps://lore.kernel.org/linux-cve-announce/2026050123-CVE-2026-31712-b794@gregkh/T" ], "name" : "CVE-2026-31712", "csaw" : false }