{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()\\n\\nsmb_inherit_dacl() trusts the on-disk num_aces value from the parent\\ndirectory’s DACL xattr and uses it to size a heap allocation:\\n\\n aces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2, …);\\n\\nnum_aces is a u16 read from le16_to_cpu(parent_pdacl-\\u003enum_aces)\\nwithout checking that it is consistent with the declared pdacl_size.\\nAn authenticated client whose parent directory’s security.NTACL is\\ntampered (e.g. via offline xattr corruption or a concurrent path that\\nbypasses parse_dacl()) can present num_aces = 65535 with minimal\\nactual ACE data. This causes a ~8 MB allocation (not kzalloc, so\\nuninitialized) that the subsequent loop only partially populates, and\\nmay also overflow the three-way size_t multiply on 32-bit kernels.\\n\\nAdditionally, the ACE walk loop uses the weaker\\noffsetof(struct smb_ace, access_req) minimum size check rather than\\nthe minimum valid on-wire ACE size, and does not reject ACEs whose\\ndeclared size is below the minimum.\\n\\nReproduced on UML + KASAN + LOCKDEP against the real ksmbd code path.\\nA legitimate mount.cifs client creates a parent directory over SMB\\n(ksmbd writes a valid security.NTACL xattr), then the NTACL blob on\\nthe backing filesystem is rewritten to set num_aces = 0xFFFF while\\nkeeping the posix_acl_hash bytes intact so ksmbd_vfs_get_sd_xattr()’s\\nhash check still passes. A subsequent SMB2 CREATE of a child under\\nthat parent drives smb2_open() into smb_inherit_dacl() (share has\\n\\”vfs objects = acl_xattr\\” set), which fails the page allocator:\\n\\n WARNING: mm\/page_alloc.c:5226 at __alloc_frozen_pages_noprof+0x46c\/0x9c0\\n Workqueue: ksmbd-io handle_ksmbd_work\\n __alloc_frozen_pages_noprof+0x46c\/0x9c0\\n ___kmalloc_large_node+0x68\/0x130\\n __kmalloc_large_node_noprof+0x24\/0x70\\n __kmalloc_noprof+0x4c9\/0x690\\n smb_inherit_dacl+0x394\/0x2430\\n smb2_open+0x595d\/0xabe0\\n handle_ksmbd_work+0x3d3\/0x1140\\n\\nWith the patch applied the added guard rejects the tampered value\\nwith -EINVAL before any large allocation runs, smb2_open() falls back\\nto smb2_create_sd_buffer(), and the child is created with a default\\nSD. No warning, no splat.\\n\\nFix by:\\n\\n 1. Validating num_aces against pdacl_size using the same formula\\n applied in parse_dacl().\\n\\n 2. Replacing the raw kmalloc(sizeof * num_aces * 2) with\\n kmalloc_array(num_aces * 2, sizeof(…)) for overflow-safe\\n allocation.\\n\\n 3. Tightening the per-ACE loop guard to require the minimum valid\\n ACE size (offsetof(smb_ace, sid) + CIFS_SID_BASE_SIZE) and\\n rejecting under-sized ACEs, matching the hardening in\\n smb_check_perm_dacl() and parse_dacl().\\n\\nv1 -\\u003e v2:\\n – Replace the synthetic test-module splat in the changelog with a\\n real-path UML + KASAN reproduction driven through mount.cifs and\\n SMB2 CREATE; Namjae flagged the kcifs3_test_inherit_dacl_old name\\n in v1 since it does not exist in ksmbd.\\n – Drop the commit-hash citation from the code comment per Namjae’s\\n review; keep the parse_dacl() pointer.”,”published”:”2026-05-01T13:56:04.552Z”,”modified”:”2026-05-03T05:45:29.610Z”,”type”:”cve”,”title”:”ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()”,”source”:”Linux”,”references”:”https:\/\/git.kernel.org\/stable\/c\/063a7409b0de46d7c770b65bb0338e6fdb3b1f0a\\nhttps:\/\/git.kernel.org\/stable\/c\/3e5360b422dd741cb315654a191fa73869a37414\\nhttps:\/\/git.kernel.org\/stable\/c\/59c32abaaec9cdd6164811c7e864e72f7554b82d\\nhttps:\/\/git.kernel.org\/stable\/c\/3e4e2ea2a781018ed5d75f969e3e5606beb66e48″,”id”:”CVE-2026-31706″,”bulletinFamily”:””,”cwe”:null,”cvelist”:null,”sourceData”:”Linux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9\\nLinux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9\\nLinux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9\\nLinux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9\\nLinux Linux 5.15″,”sourceHref”:””,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Linux”,”version”:”e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9″,”vendor”:”Linux”,”ai_description”:”AI processing failed – no valid JSON found”,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()\\n\\nsmb_inherit_dacl() trusts the on-disk num_aces value from the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,41,12,15,13,7,11,5],"class_list":["post-51029","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n