Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-31432

CVE-2026-31432: Linux Kernel Buffer Overflow Vulnerability

CVE-2026-31432 is a buffer overflow flaw in Linux kernel's ksmbd that allows out-of-bounds writes during compound request processing. This article covers technical details, affected versions, impact, and mitigation.

Published: April 23, 2026

CVE-2026-31432 Overview

CVE-2026-31432 is an out-of-bounds write vulnerability in the Linux kernel's ksmbd (kernel SMB server) component. The vulnerability occurs when processing compound SMB requests where the first command consumes most of the response buffer, causing ksmbd to write beyond the allocated buffer while building a security descriptor for subsequent QUERY_INFO operations.

Critical Impact

This out-of-bounds write vulnerability in ksmbd could allow an attacker to corrupt kernel memory, potentially leading to privilege escalation, denial of service, or arbitrary code execution in kernel context.

Affected Products

  • Linux kernel with ksmbd module enabled
  • Systems running in-kernel SMB3 file server (ksmbd)
  • Linux distributions with ksmbd configured for file sharing

Discovery Timeline

  • 2026-04-22 - CVE CVE-2026-31432 published to NVD
  • 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2026-31432

Vulnerability Analysis

The vulnerability exists in the ksmbd module's handling of compound SMB requests, specifically when a sequence like READ + QUERY_INFO(Security) is processed. The flaw manifests when the first command in a compound request consumes a significant portion of the response buffer, leaving insufficient space for subsequent commands.

The core issue lies in the buffer size calculation mismatch between smb2_get_info_sec() and build_sec_desc(). The former function performs buffer space validation using ppntsd_size obtained from xattr (extended attributes), but this check is inadequate because build_sec_desc() synthesizes a security descriptor from POSIX ACLs that is often significantly larger than the xattr-based estimate.

When building security descriptors from POSIX ACL entries, the resulting descriptor can vary considerably in size depending on the number of ACL entries present on the target file or directory. Without proper pre-calculation of the final descriptor size, the function proceeds to write data beyond the bounds of the allocated response buffer.

Root Cause

The root cause is a buffer size miscalculation in the security descriptor generation path. The vulnerability stems from two functions using different methods to estimate required buffer space: smb2_get_info_sec() relies on xattr size for buffer checking, while build_sec_desc() dynamically constructs larger descriptors from POSIX ACLs. This discrepancy creates a condition where the actual write operation exceeds the pre-validated buffer boundaries.

Attack Vector

An attacker with network access to a ksmbd-enabled SMB server can craft malicious compound SMB requests designed to trigger this vulnerability. The attack vector involves:

  1. Establishing an SMB3 connection to a vulnerable ksmbd server
  2. Sending a compound request where the first command (such as READ) returns data consuming most of the response buffer
  3. Following with a QUERY_INFO request for security information on a file with complex POSIX ACLs
  4. The server writes the synthesized security descriptor past the buffer boundary, corrupting adjacent kernel memory

The patch addresses this by introducing smb_acl_sec_desc_scratch_len() to accurately compute the final descriptor size before allocation. This function performs proper buffer checking via smb2_calc_max_out_buf_len() and ensures exact-sized allocation with iov pinning, preventing the out-of-bounds write condition.

Detection Methods for CVE-2026-31432

Indicators of Compromise

  • Unexpected kernel crashes or panics involving ksmbd module functions
  • Memory corruption signatures in kernel logs related to SMB operations
  • Unusual SMB compound request patterns in network traffic analysis
  • System instability when serving files with complex POSIX ACL configurations

Detection Strategies

  • Monitor kernel logs for ksmbd-related out-of-bounds access warnings or KASAN reports
  • Deploy network intrusion detection rules to identify malformed or suspicious compound SMB requests
  • Enable kernel memory debugging options (KASAN, UBSAN) in development or test environments to catch exploitation attempts
  • Audit SMB server access logs for unusual query patterns targeting files with extensive ACL entries

Monitoring Recommendations

  • Configure alerting on kernel oops or panic events referencing ksmbd, smb2_get_info_sec, or build_sec_desc functions
  • Monitor network traffic for SMB compound requests with READ + QUERY_INFO combinations targeting security descriptors
  • Track system stability metrics on servers running ksmbd for anomalies

How to Mitigate CVE-2026-31432

Immediate Actions Required

  • Apply the latest kernel patches addressing this vulnerability from your distribution's package manager
  • If immediate patching is not possible, consider temporarily disabling ksmbd and using userspace Samba if SMB services are required
  • Review and audit POSIX ACL configurations on shared directories to understand exposure
  • Monitor systems for signs of exploitation attempts

Patch Information

The Linux kernel developers have released patches to address this vulnerability. Multiple commits are available in the stable kernel tree:

  • Kernel Commit 075ea208c648
  • Kernel Commit 515c2daab460
  • Kernel Commit d48c64fb80ad
  • Kernel Commit fda9522ed6af

The fix introduces smb_acl_sec_desc_scratch_len() for accurate pre-computation of security descriptor sizes, implements proper buffer validation using smb2_calc_max_out_buf_len(), and ensures exact-sized memory allocation with iov pinning.

Workarounds

  • Disable the ksmbd kernel module if in-kernel SMB server functionality is not required: modprobe -r ksmbd
  • Migrate SMB file sharing services to userspace Samba (smbd) as a temporary alternative
  • Restrict network access to ksmbd services using firewall rules to trusted clients only
  • Reduce attack surface by simplifying POSIX ACL configurations on shared directories where feasible
bash
# Disable ksmbd module temporarily
sudo modprobe -r ksmbd

# Prevent ksmbd from loading at boot
echo "blacklist ksmbd" | sudo tee /etc/modprobe.d/ksmbd-blacklist.conf

# Check if ksmbd is currently loaded
lsmod | grep ksmbd

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeBuffer Overflow
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.01%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Linux Kernel Commit
  • Linux Kernel Commit
  • Linux Kernel Commit
  • Linux Kernel Commit
  • Related CVEs
  • CVE-2026-31449: Linux Kernel Buffer Overflow Vulnerability
  • CVE-2026-31512: Linux Kernel Buffer Overflow Vulnerability
  • CVE-2026-31438: Linux Kernel Buffer Overflow Vulnerability
  • CVE-2026-31450: Linux Kernel Buffer Overflow Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English