CVE-2026-31708

EUVD-2026-26517

01.05.2026, 14:16

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path

smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL
and the default QUERY_INFO path.  The QUERY_INFO branch clamps
qi.input_buffer_length to the server-reported OutputBufferLength and then
copies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but
it never verifies that the flexible-array payload actually fits within
rsp_iov[1].iov_len.

A malicious server can return OutputBufferLength larger than the actual
QUERY_INFO response, causing copy_to_user() to walk past the response
buffer and expose adjacent kernel heap to userspace.

Guard the QUERY_INFO copy with a bounds check on the actual Buffer
payload.  Use struct_size(qi_rsp, Buffer, qi.input_buffer_length)
rather than an open-coded addition so the guard cannot overflow on
32-bit builds.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 20%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.1 ≤ 𝑥 < 6.6.136
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.84
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.25
linux	linux_kernel	6.19 ≤ 𝑥 < 7.0.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	7.0.10-1 fixed
sid	7.0.12-2 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.90-2 fixed

Amazon Linux Releases

Amazon Package

Release

bpftool6.12

Amazon Linux 2023

1:6.12.90-120.164.amzn2023

fixed

bpftool6.12-debuginfo

Amazon Linux 2023

1:6.12.90-120.164.amzn2023

fixed

bpftool6.18

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

bpftool6.18-debuginfo

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel-livepatch-6.12.90-120.164

Amazon Linux 2023

1:1.0-0.amzn2023

fixed

kernel-livepatch-6.18.25-55.108

Amazon Linux 2023

1:1.0-0.amzn2023

fixed

kernel6.12

Amazon Linux 2023

1:6.12.90-120.164.amzn2023

fixed

kernel6.12-debuginfo

Amazon Linux 2023

1:6.12.90-120.164.amzn2023

fixed

kernel6.12-debuginfo-common-aarch64

Amazon Linux 2023

1:6.12.90-120.164.amzn2023

fixed

kernel6.12-debuginfo-common-x86_64

Amazon Linux 2023

1:6.12.90-120.164.amzn2023

fixed

kernel6.12-devel

Amazon Linux 2023

1:6.12.90-120.164.amzn2023

fixed

kernel6.12-headers

Amazon Linux 2023

1:6.12.90-120.164.amzn2023

fixed

kernel6.12-modules-extra

Amazon Linux 2023

1:6.12.90-120.164.amzn2023

fixed

kernel6.12-modules-extra-common

Amazon Linux 2023

1:6.12.90-120.164.amzn2023

fixed

kernel6.12-tools

Amazon Linux 2023

1:6.12.90-120.164.amzn2023

fixed

kernel6.12-tools-debuginfo

Amazon Linux 2023

1:6.12.90-120.164.amzn2023

fixed

kernel6.12-tools-devel

Amazon Linux 2023

1:6.12.90-120.164.amzn2023

fixed

kernel6.18

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-debuginfo

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-debuginfo-common-aarch64

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-debuginfo-common-x86_64

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-devel

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-headers

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-modules-extra

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-modules-extra-common

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-tools

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-tools-debuginfo

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-tools-devel

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

perf6.12

Amazon Linux 2023

1:6.12.90-120.164.amzn2023

fixed

perf6.12-debuginfo

Amazon Linux 2023

1:6.12.90-120.164.amzn2023

fixed

perf6.18

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

perf6.18-debuginfo

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

python3-perf6.12

Amazon Linux 2023

1:6.12.90-120.164.amzn2023

fixed

python3-perf6.12-debuginfo

Amazon Linux 2023

1:6.12.90-120.164.amzn2023

fixed

python3-perf6.18

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

python3-perf6.18-debuginfo

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

Azure Linux Releases

Azure Package

Release

kernel

Azure Linux 3.0

0:6.6.137.1-2.azl3

fixed

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein entfernter Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um Sicherheitsmechanismen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen oder Auswirkungen unbestimmter Art zu erzielen.
Published: 2026-05-03T22:00:00+00:00

References

https://git.kernel.org/stable/c/078fae8f50adebb903ccf2252b44391324571e78

https://git.kernel.org/stable/c/1dd757379997b71a328a4b591ffaf481acd0ead1

https://git.kernel.org/stable/c/85fd46ee26a11841c670449508025965f61ce131

https://git.kernel.org/stable/c/a34d456934fe42e4da5d2cc07787bf418bee99c6

https://git.kernel.org/stable/c/a58c5af19ff0d6f44f6e9fe31e33a2c92223f77e

https://git.kernel.org/stable/c/ac2f14e4705d020f04e806efa0d49ab8dc2b145f