CVE-2026-31613 Overview
CVE-2026-31613 is an Out-of-Bounds Read vulnerability in the Linux kernel's SMB client implementation. The flaw exists in the symlink error response parsing logic, where insufficient length validation in smb2_check_message() allows a malicious or compromised SMB server to trigger out-of-bounds heap reads. When a CREATE request returns STATUS_STOPPED_ON_SYMLINK, the kernel fails to properly validate response lengths, potentially leaking sensitive heap memory contents back to userspace via the readlink(2) system call.
Critical Impact
A malicious SMB server can exploit this vulnerability to leak kernel heap memory to unprivileged users. The leaked data is UTF-16 decoded and returned through readlink(), potentially exposing sensitive information including credentials, cryptographic keys, or other security-critical data from kernel memory.
Affected Products
- Linux Kernel (multiple versions with SMB client support)
- Systems mounting SMB/CIFS shares from untrusted servers
- Enterprise environments with network file sharing configurations
Discovery Timeline
- 2026-04-24 - CVE CVE-2026-31613 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-31613
Vulnerability Analysis
The vulnerability exists in the SMB 3.1.1 client implementation, specifically in how the kernel parses error context data when processing symlink error responses. When smb2_check_message() processes a STATUS_STOPPED_ON_SYMLINK response, it returns success without performing adequate length validation on the error response structure. This places the entire burden of security validation on the symlink parsers, which also contain flaws.
The symlink_data() function walks SMB 3.1.1 error contexts using a loop test p < end, but this check is insufficient. The function reads p->ErrorId at offset 4 and p->ErrorDataLength at offset 0. When a server-controlled ErrorDataLength value advances the pointer p to within 1-7 bytes of end, the next loop iteration reads past the allocated buffer boundary.
Furthermore, when a matching error context is found, sym->SymLinkErrorTag is read at offset 4 from p->ErrorContextData without verifying that the symlink header structure fits within the remaining buffer space. This allows an attacker controlling the server to craft responses that trigger out-of-bounds reads.
The smb2_parse_symlink_response() function compounds the issue by using SMB2_SYMLINK_STRUCT_SIZE (computed as sizeof(smb2_err_rsp) + sizeof(smb2_symlink_err_rsp)) as the offset for bounds-checking the substitute name. This calculation is only correct when ErrorContextCount == 0. With one or more error contexts present, the actual symlink data sits 8 bytes deeper, plus an additional 8 + ALIGN(ErrorDataLength, 8) bytes for each skipped non-matching context. This incorrect offset calculation allows the substitute name read to exceed iov_len, causing heap bytes to be read out-of-bounds, UTF-16 decoded, and returned to userspace.
Root Cause
The root cause is a combination of missing and incorrect boundary validation in the SMB client symlink error parsing code:
- Insufficient loop termination check: The loop test p < end does not ensure the full context header (8 bytes) fits before reading structure fields
- Missing symlink header validation: No check verifies that sym->SymLinkErrorTag and the symlink header fit within the remaining buffer
- Incorrect offset calculation: The bounds check for substitute name uses a fixed offset that doesn't account for error context headers, resulting in an undersized boundary check
Attack Vector
This vulnerability is exploitable over the network by a malicious SMB server. An attacker must either operate a rogue SMB server or compromise an existing one that the victim connects to. The attack flow is:
- Victim system mounts an SMB share from the attacker-controlled server
- A user or application on the victim system attempts to access a path that triggers a symlink resolution
- The malicious server responds with a crafted STATUS_STOPPED_ON_SYMLINK error containing malformed error context structures
- The Linux kernel's SMB client parses the response, reading past allocated buffer boundaries
- Out-of-bounds heap data is UTF-16 decoded and returned to userspace via readlink(2)
The attacker can potentially extract sensitive kernel heap contents by repeatedly triggering this condition and analyzing the returned symlink target strings. User interaction is required (mounting an SMB share or accessing files), but no authentication to the server is required from the attacker's perspective.
Detection Methods for CVE-2026-31613
Indicators of Compromise
- Anomalous readlink() system calls returning unusually long or malformed symlink targets from SMB-mounted filesystems
- Kernel log messages indicating SMB protocol errors or memory access violations during symlink resolution
- Unexpected network traffic patterns with SMB servers responding with frequent STATUS_STOPPED_ON_SYMLINK errors
- Memory corruption detection alerts (KASAN) indicating out-of-bounds reads in SMB client code paths
Detection Strategies
- Deploy kernel memory sanitizers (KASAN) in development and testing environments to detect out-of-bounds access patterns
- Monitor SMB client operations for unusual error response handling, particularly around symlink operations
- Implement network-level inspection for anomalous SMB error responses with crafted ErrorDataLength values
- Configure auditd rules to log readlink() operations on CIFS/SMB mounted filesystems
Monitoring Recommendations
- Enable kernel tracing for SMB/CIFS operations to capture symlink resolution events and associated error responses
- Deploy endpoint detection and response (EDR) solutions capable of monitoring kernel-level memory access patterns
- Establish baselines for normal SMB traffic patterns and alert on deviations in error response frequencies
- Monitor for signs of information leakage through symlink resolution paths
How to Mitigate CVE-2026-31613
Immediate Actions Required
- Apply the latest kernel patches from Linux kernel stable branches immediately
- Audit all SMB/CIFS mount configurations and assess trust levels of connected servers
- Consider temporarily unmounting shares from untrusted or internet-facing SMB servers until patches are applied
- Enable KASAN in test environments to detect exploitation attempts
Patch Information
The vulnerability has been addressed in multiple kernel stable branches. The fix ensures that loop tests require the full context header to fit before processing, rejects symlink structures whose headers extend past the buffer end, and bounds-checks substitute names against the actual position of sym->PathBuffer rather than using an incorrect fixed offset.
Apply patches from the following kernel commits:
- Kernel commit 3df690bba28e
- Kernel commit 781902e069f4
- Kernel commit a66ef2e7ed83
- Kernel commit e0dd90d14cbb
Workarounds
- Unmount SMB shares from untrusted or potentially compromised servers until the kernel can be patched
- Use VPN or network segmentation to limit SMB server exposure to trusted network segments only
- Configure firewall rules to restrict SMB traffic to known, trusted server IP addresses
- Disable SMB/CIFS mounting entirely if not required for operations until patches are deployed
# Temporarily unmount suspicious SMB shares
umount -t cifs /mnt/untrusted_share
# Block SMB traffic from untrusted sources (example iptables rule)
iptables -A INPUT -p tcp --dport 445 -s ! trusted_network/24 -j DROP
# Verify current kernel version and plan upgrade
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
