CVE-2026-31704 Overview
CVE-2026-31704 is an integer overflow vulnerability in the Linux kernel's ksmbd in-kernel SMB3 server. The flaw resides in the set_posix_acl_entries_dacl() and set_ntacl_dacl() functions within smbacl.c, which accumulate Access Control Entry (ACE) sizes in u16 variables. When a file carries many POSIX ACL entries, the accumulated size can wrap past 65535, causing pointer arithmetic to land within already-written ACEs and corrupt the discretionary access control list (DACL) buffer. The issue affects the Linux kernel on systems where ksmbd is enabled.
Critical Impact
A local authenticated attacker can trigger memory corruption in the kernel SMB server by crafting files with excessive POSIX ACL entries, leading to a denial-of-service condition.
Affected Products
- Linux Kernel (multiple stable branches with ksmbd enabled)
- Distributions shipping ksmbd as the in-kernel SMB server
- Systems exposing SMB shares backed by filesystems with POSIX ACLs
Discovery Timeline
- 2026-05-01 - CVE-2026-31704 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-31704
Vulnerability Analysis
The ksmbd module builds DACLs when responding to SMB security descriptor queries. Functions set_posix_acl_entries_dacl() and set_ntacl_dacl() walk the file's POSIX ACL entries and serialize each one as an ACE into an output buffer. During serialization, the running total of bytes written is tracked in a 16-bit unsigned integer (u16). Because each ACE consumes a non-trivial number of bytes, a sufficiently large set of ACL entries pushes the cumulative size beyond 0xFFFF, wrapping the counter to a small value [CWE-190].
Once the counter wraps, the next write computed as (char *)pndace + *size points back into earlier ACEs in the same buffer. Subsequent ACE writes overwrite previously serialized entries, and the final pndacl->size field is recorded with a truncated length. The corrupted DACL is then returned over SMB or used internally by the server.
Root Cause
The root cause is the use of an undersized integer type for size accumulation without overflow checking. The fix replaces unchecked addition with check_add_overflow() at every accumulation point, mirroring the existing check_mul_overflow() pattern already present elsewhere in smbacl.c. When overflow is detected, the function aborts cleanly instead of producing a malformed DACL.
Attack Vector
Exploitation requires local access and the ability to control file ACLs on a filesystem exported by ksmbd. An authenticated SMB user, or a local user able to set extended POSIX ACLs on a shared file, can stage a file with an extreme number of ACL entries. When ksmbd serializes the security descriptor, the overflow corrupts kernel memory adjacent to the DACL buffer, producing kernel panics or unpredictable behavior. The CVSS vector indicates local access with low privileges and high availability impact, with no confidentiality or integrity impact reported. The EPSS probability is 0.013%, reflecting the local prerequisite and absence of public exploit code.
No public proof-of-concept exists, and the vulnerability is not listed in the CISA KEV catalog.
Detection Methods for CVE-2026-31704
Indicators of Compromise
- Kernel oops or panic traces referencing set_posix_acl_entries_dacl or set_ntacl_dacl in fs/smb/server/smbacl.c.
- Unexpected ksmbd worker thread crashes or SMB session terminations on hosts with ksmbd loaded.
- Files on exported shares carrying an unusually large number of POSIX ACL entries beyond typical administrative use.
Detection Strategies
- Audit running kernel versions against the patched stable trees referenced in the kernel.org commits to identify unpatched hosts.
- Inspect filesystems exported via ksmbd for files with abnormally large ACL counts using getfacl and flag outliers.
- Monitor dmesg and journalctl -k for repeated ksmbd-related warnings, BUG entries, or memory corruption indicators.
Monitoring Recommendations
- Forward kernel logs to a centralized logging or SIEM platform and alert on ksmbd stack traces.
- Track SMB share availability and worker process restarts as a proxy signal for crash-based exploitation attempts.
- Baseline ACL entry counts per share and alert on sudden growth that could indicate staging of an overflow payload.
How to Mitigate CVE-2026-31704
Immediate Actions Required
- Apply the upstream kernel patches referenced in the Kernel Security Fix and companion commits to all affected stable branches.
- Where patching is not immediately possible, unload the ksmbd module on hosts that do not require an in-kernel SMB server: modprobe -r ksmbd.
- Restrict SMB share access to trusted authenticated users and remove write/ACL-modification rights from untrusted accounts.
Patch Information
The Linux kernel maintainers fixed the issue by introducing check_add_overflow() calls at each ACE size accumulation point in smbacl.c. The corresponding stable backports are available at Kernel Patch Details, Kernel Commit Changes, Kernel Code Update, Kernel Security Fix, and Kernel Improvement Commit. Distribution vendors are issuing rebased kernels through their normal advisory channels.
Workarounds
- Migrate SMB services from ksmbd to user-space Samba (smbd) until patched kernels are deployed.
- Disable POSIX ACL support on filesystems exported via ksmbd where ACLs are not required.
- Block SMB ports (445/tcp, 139/tcp) from untrusted networks at the host firewall to limit exposure of the affected code path.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
