Bug 2461494 (CVE-2026-31614) - CVE-2026-31614 kernel: smb: client: fix off-by-8 bounds check in check_wsl_eas()
Summary: CVE-2026-31614 kernel: smb: client: fix off-by-8 bounds check in check_wsl_eas()
Keywords:
Status: NEW
Alias: CVE-2026-31614
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-24 15:04 UTC by OSIDB Bzimport
Modified: 2026-04-24 19:58 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-24 15:04:50 UTC 
In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix off-by-8 bounds check in check_wsl_eas()

The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA
name and value, but ea_data sits at offset sizeof(struct
smb2_file_full_ea_info) = 8 from ea, not at offset 0.  The strncmp()
later reads ea->ea_data[0..nlen-1] and the value bytes follow at
ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1
+ vlen.  Isn't pointer math fun?

The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the
8-byte header is in bounds, but since the last EA is placed within 8
bytes of the end of the response, the name and value bytes are read past
the end of iov.

Fix this mess all up by using ea->ea_data as the base for the bounds
check.

An "untrusted" server can use this to leak up to 8 bytes of kernel heap
into the EA name comparison and influence which WSL xattr the data is
interpreted as.
Comment 1 Keith Grant 2026-04-24 19:56:11 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026042423-CVE-2026-31614-4bf1@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.