CVE-2026-31709
Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL before rewriting it in cifsacl build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild the chmod/chown security descriptor. The original fix only checked that the struct smb_acl header fits before reading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate header-field OOB read, but the rewrite helpers still walk ACEs based on pdacl->num_aces with no structural validation of the incoming DACL body. A malicious server can return a truncated DACL that still contains a header, claims one or more ACEs, and then drive replace_sids_and_copy_aces() or set_chmod_dacl() past the validated extent while they compare or copy attacker-controlled ACEs. Factor the DACL structural checks into validate_dacl(), extend them to validate each ACE against the DACL bounds, and use the shared validator before the chmod/chown rebuild paths. parse_dacl() reuses the same validator so the read-side parser and write-side rewrite paths agree on what constitutes a well-formed incoming DACL.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Linux kernel Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | 7.0.2 |
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Windows Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Mixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 6.12.86-1 |
| sid | Fixed | 7.0.3-1 |
| forky | Fixed | 7.0.3-1 |
| bullseye | Fixed | 0 |
| bookworm | Affected | โ |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | kernel-doc-4.18.0-553.126.1.el8_10.noarch.rpm |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
| 8 | Fixed | โ |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| gcp | | |
References
- https://git.kernel.org/stable/c/0a8cf165566ba55a39fd0f4de172119dd646d39a
- https://git.kernel.org/stable/c/8e47d297e7cf9a6029a0d38e7b22faba7d7aaf12
- https://git.kernel.org/stable/c/b78db9bddc84136f6a0bb49e8883cf200dfb87a8
- https://git.kernel.org/stable/c/d92f3f0b22414e7515696a02224d0af55e3004a3
- https://www.suse.com/security/cve/CVE-2026-31709.html
- https://security-tracker.debian.org/tracker/CVE-2026-31709
- https://access.redhat.com/errata/RHSA-2026:21556
- https://access.redhat.com/errata/RHSA-2026:21706
- https://bugzilla.redhat.com/2404105
- https://bugzilla.redhat.com/2422699
- https://bugzilla.redhat.com/2424879
- https://bugzilla.redhat.com/2429602
- https://bugzilla.redhat.com/2448594
- https://bugzilla.redhat.com/2448745
- https://bugzilla.redhat.com/2454810
- https://bugzilla.redhat.com/2455334
- https://bugzilla.redhat.com/2461107
- https://bugzilla.redhat.com/2461757
- https://bugzilla.redhat.com/2461759
- https://bugzilla.redhat.com/2464369
- https://bugzilla.redhat.com/2464455
- https://bugzilla.redhat.com/2464462
- https://bugzilla.redhat.com/2464476
- https://bugzilla.redhat.com/2467059
- https://bugzilla.redhat.com/2467064
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.