Bug 2464396 (CVE-2026-31708) - CVE-2026-31708 kernel: smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
Summary: CVE-2026-31708 kernel: smb: client: fix OOB read in smb2_ioctl_query_info QUE...
Keywords:
Status: NEW
Alias: CVE-2026-31708
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-01 15:04 UTC by OSIDB Bzimport
Modified: 2026-05-01 20:08 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-01 15:04:25 UTC 
In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path

smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL
and the default QUERY_INFO path.  The QUERY_INFO branch clamps
qi.input_buffer_length to the server-reported OutputBufferLength and then
copies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but
it never verifies that the flexible-array payload actually fits within
rsp_iov[1].iov_len.

A malicious server can return OutputBufferLength larger than the actual
QUERY_INFO response, causing copy_to_user() to walk past the response
buffer and expose adjacent kernel heap to userspace.

Guard the QUERY_INFO copy with a bounds check on the actual Buffer
payload.  Use struct_size(qi_rsp, Buffer, qi.input_buffer_length)
rather than an open-coded addition so the guard cannot overflow on
32-bit builds.
Comment 1 Keith Grant 2026-05-01 20:07:19 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050121-CVE-2026-31708-f27c@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.