Detections
Analytics

CVE-2026-31614

high

Description

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix off-by-8 bounds check in check_wsl_eas() The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but ea_data sits at offset sizeof(struct smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp() later reads ea->ea_data[0..nlen-1] and the value bytes follow at ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1 + vlen. Isn't pointer math fun? The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the 8-byte header is in bounds, but since the last EA is placed within 8 bytes of the end of the response, the name and value bytes are read past the end of iov. Fix this mess all up by using ea->ea_data as the base for the bounds check. An "untrusted" server can use this to leak up to 8 bytes of kernel heap into the EA name comparison and influence which WSL xattr the data is interpreted as.

References

https://git.kernel.org/stable/c/ba3ad159aa61810bbe0acaf39578b1ebfb6f1a18

https://git.kernel.org/stable/c/b2b76d09a64c538c57006180103fc1841e8cfa66

https://git.kernel.org/stable/c/a893f1757d9a4009e4a8d7ceb2312142fe29cea4

https://git.kernel.org/stable/c/5cc0574c84aa73946ade587c41e81757b8b01cb5

Details

Source: Mitre, NVD

Published: 2026-04-24

Updated: 2026-04-24

Risk Information

CVSS v2

Base Score: 8.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.1

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Severity: High