2460713 – (CVE-2026-31478) CVE-2026-31478 kernel: ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()

Bug 2460713 (CVE-2026-31478) - CVE-2026-31478 kernel: ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()

Summary: CVE-2026-31478 kernel: ksmbd: replace hardcoded hdr2_len with offsetof() in s...

Keywords:
Status:	NEW
Alias:	CVE-2026-31478
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-22 15:07 UTC by OSIDB Bzimport
Modified:	2026-04-22 18:32 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-22 15:07:00 UTC

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()

After this commit (e2b76ab8b5c9 "ksmbd: add support for read compound"),
response buffer management was changed to use dynamic iov array.
In the new design, smb2_calc_max_out_buf_len() expects the second
argument (hdr2_len) to be the offset of ->Buffer field in the
response structure, not a hardcoded magic number.
Fix the remaining call sites to use the correct offsetof() value.

Comment 1 Keith Grant 2026-04-22 18:30:52 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026042257-CVE-2026-31478-7be0@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.