HOMEVULNERABILITIESCVE-2026-31707
HIGH

CVE-2026-31707

Published: May 1, 2026· Updated: May 6, 2026

7.1
CVSS v3.1
EPSS:0.01%probability of exploitation in 30 daysPercentile:1.7th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: validate response sizes in ipc_validate_msg()

ipc_validate_msg() computes the expected message size for each

response type by adding (or multiplying) attacker-controlled fields

from the daemon response to a fixed struct size in unsigned int

arithmetic. Three cases can overflow:

KSMBD_EVENT_RPC_REQUEST:

msg_sz = sizeof(struct ksmbd_rpc_command) + resp->payload_sz;

KSMBD_EVENT_SHARE_CONFIG_REQUEST:

msg_sz = sizeof(struct ksmbd_share_config_response) +

resp->payload_sz;

KSMBD_EVENT_LOGIN_REQUEST_EXT:

msg_sz = sizeof(struct ksmbd_login_response_ext) +

resp->ngroups * sizeof(gid_t);

resp->payload_sz is __u32 and resp->ngroups is __s32. Each addition

can wrap in unsigned int; the multiplication by sizeof(gid_t) mixes

signed and size_t, so a negative ngroups is converted to SIZE_MAX

before the multiply. A wrapped value of msg_sz that happens to

equal entry->msg_sz bypasses the size check on the next line, and

downstream consumers (smb2pdu.c:6742 memcpy using rpc_resp->payload_sz,

kmemdup in ksmbd_alloc_user using resp_ext->ngroups) then trust the

unverified length.

Use check_add_overflow() on the RPC_REQUEST and SHARE_CONFIG_REQUEST

paths to detect integer overflow without constraining functional

payload size; userspace ksmbd-tools grows NDR responses in 4096-byte

chunks for calls like NetShareEnumAll, so a hard transport cap is

unworkable on the response side. For LOGIN_REQUEST_EXT, reject

resp->ngroups outside the signed [0, NGROUPS_MAX] range up front and

report the error from ipc_validate_msg() so it fires at the IPC

boundary; with that bound the subsequent multiplication and addition

stay well below UINT_MAX. The now-redundant ngroups check and

pr_err in ksmbd_alloc_user() are removed.

This is the response-side analogue of aab98e2dbd64 ("ksmbd: fix

integer overflows on 32 bit systems"), which hardened the request

side.

NVD Source

Technical Analysis

CVE-2026-31707 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), availability disruption (denial of service), with a CVSS base score of 7.1.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 1 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (4)

Quick Facts

CVE IDCVE-2026-31707
CVSS Score7.1 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.01%
Affected1 vendor
PublishedMay 1, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31707 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.