CVE-2026-31708 Overview
CVE-2026-31708 is an out-of-bounds read vulnerability [CWE-125] in the Linux kernel's SMB client code. The flaw resides in smb2_ioctl_query_info(), specifically in the default QUERY_INFO response-copy branch. The function clamps qi.input_buffer_length to the server-reported OutputBufferLength and copies that many bytes from qi_rsp->Buffer to userspace. It never verifies that the flexible-array payload fits within rsp_iov[1].iov_len. A malicious SMB server can return an OutputBufferLength value larger than the actual QUERY_INFO response, causing copy_to_user() to walk past the response buffer and expose adjacent kernel heap memory to userspace.
Critical Impact
A malicious or compromised SMB server can leak adjacent kernel heap memory to a connected Linux client, enabling kernel information disclosure that may aid further exploitation.
Affected Products
- Linux Kernel (multiple stable branches; see kernel.org patch references)
- Distributions shipping the in-tree cifs/smb client module
- Systems mounting remote SMB shares from untrusted servers
Discovery Timeline
- 2026-05-01 - CVE-2026-31708 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-31708
Vulnerability Analysis
The defect lives in the SMB2 IOCTL handler smb2_ioctl_query_info() in the Linux kernel CIFS/SMB client. The function dispatches into two response-copy branches: PASSTHRU_FSCTL and the default QUERY_INFO path. The QUERY_INFO branch trusts the server-supplied OutputBufferLength after clamping it against qi.input_buffer_length, then performs a copy_to_user() from the server response buffer.
The missing validation is a comparison between the bytes about to be copied and the size of the receive iovec, rsp_iov[1].iov_len. Because the flexible-array payload qi_rsp->Buffer lives at the tail of the response, an attacker-controlled length larger than the genuine payload causes the copy to read past the legitimate response into adjacent kernel heap memory. Those bytes are then handed to userspace.
Root Cause
The root cause is missing bounds enforcement on the flexible-array payload size. The code uses qi.input_buffer_length directly as a copy length without confirming that struct_size(qi_rsp, Buffer, qi.input_buffer_length) is less than or equal to rsp_iov[1].iov_len. The fix introduces this guard using struct_size() rather than open-coded arithmetic, eliminating integer overflow risk on 32-bit builds.
Attack Vector
Exploitation requires a Linux client to issue an IOCTL with CIFS_QUERY_INFO against a malicious or compromised SMB server. The server returns a forged QUERY_INFO response whose OutputBufferLength field exceeds the true payload length. The kernel then copies adjacent heap contents to the userspace caller. The CVSS vector indicates network-based access with user interaction required, reflecting the need for a client-initiated mount or IOCTL against the attacker-controlled server. See the upstream patches at Kernel Patch a34d4569 and Kernel Patch 078fae8f for the corrected logic.
Detection Methods for CVE-2026-31708
Indicators of Compromise
- Unexpected SMB mounts from clients to untrusted or external IP addresses on TCP/445
- CIFS_IOC_QUERY_INFO IOCTL invocations against newly observed SMB servers
- SMB2 QUERY_INFO responses where the server-declared OutputBufferLength exceeds the on-wire payload size
- Kernel log entries from the cifs module indicating malformed responses
Detection Strategies
- Inspect SMB2 traffic for QUERY_INFO responses whose OutputBufferLength exceeds the remaining message length
- Audit running kernel versions across the fleet against the fixed commits referenced on git.kernel.org
- Alert on Linux endpoints initiating outbound SMB sessions to non-corporate destinations
Monitoring Recommendations
- Forward auditd and kernel ring buffer events for the cifs module to a central log platform
- Track package versions of linux-image across distributions to confirm patched kernels are deployed
- Baseline expected SMB server destinations and alert on deviations
How to Mitigate CVE-2026-31708
Immediate Actions Required
- Apply the upstream kernel patches referenced on git.kernel.org and reboot affected hosts
- Update to a distribution kernel that includes the fix for smb2_ioctl_query_info()
- Restrict outbound SMB (TCP/445) traffic from Linux clients to known, trusted file servers
- Avoid mounting SMB shares from untrusted or internet-exposed servers until patches are applied
Patch Information
The fix adds a bounds check using struct_size(qi_rsp, Buffer, qi.input_buffer_length) against rsp_iov[1].iov_len before copy_to_user(). Upstream commits are available at Kernel Patch 078fae8f, Kernel Patch 85fd46ee, Kernel Patch a34d4569, Kernel Patch a58c5af1, and Kernel Patch ac2f14e4.
Workarounds
- Unload the cifs kernel module on systems that do not require SMB client functionality
- Block outbound TCP/445 and TCP/139 at the host or perimeter firewall where SMB is not required
- Limit which users can issue CIFS_IOC_QUERY_INFO by tightening mount permissions and noexec/nosuid mount options
# Temporarily disable the cifs client module on hosts that do not use SMB
sudo modprobe -r cifs
echo "blacklist cifs" | sudo tee /etc/modprobe.d/disable-cifs.conf
# Block outbound SMB at the host firewall (nftables example)
sudo nft add rule inet filter output tcp dport {139, 445} drop
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
