HOMEVULNERABILITIESCVE-2026-31613
HIGH

CVE-2026-31613

Published: April 24, 2026· Updated: Apr 28, 2026

8.1
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:5.7th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix OOB reads parsing symlink error response

When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message()

returns success without any length validation, leaving the symlink

parsers as the only defense against an untrusted server.

symlink_data() walks SMB 3.1.1 error contexts with the loop test "p <

end", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset

0. When the server-controlled ErrorDataLength advances p to within 1-7

bytes of end, the next iteration will read past it. When the matching

context is found, sym->SymLinkErrorTag is read at offset 4 from

p->ErrorContextData with no check that the symlink header itself fits.

smb2_parse_symlink_response() then bounds-checks the substitute name

using SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from

iov_base. That value is computed as sizeof(smb2_err_rsp) +

sizeof(smb2_symlink_err_rsp), which is correct only when

ErrorContextCount == 0.

With at least one error context the symlink data sits 8 bytes deeper,

and each skipped non-matching context shifts it further by 8 +

ALIGN(ErrorDataLength, 8). The check is too short, allowing the

substitute name read to run past iov_len. The out-of-bound heap bytes

are UTF-16-decoded into the symlink target and returned to userspace via

readlink(2).

Fix this all up by making the loops test require the full context header

to fit, rejecting sym if its header runs past end, and bound the

substitute name against the actual position of sym->PathBuffer rather

than a fixed offset.

Because sub_offs and sub_len are 16bits, the pointer math will not

overflow here with the new greater-than.

NVD Source

Technical Analysis

CVE-2026-31613 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.

A successful exploit results in complete confidentiality breach (data exposure), availability disruption (denial of service), with a CVSS base score of 8.1.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionRequired
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 1 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (4)

Quick Facts

CVE IDCVE-2026-31613
CVSS Score8.1 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedApr 24, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31613 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.