{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31478", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.098Z", "datePublished": "2026-04-22T13:54:06.157Z", "dateUpdated": "2026-05-11T22:09:30.706Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:09:30.706Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()\n\nAfter this commit (e2b76ab8b5c9 \"ksmbd: add support for read compound\"),\nresponse buffer management was changed to use dynamic iov array.\nIn the new design, smb2_calc_max_out_buf_len() expects the second\nargument (hdr2_len) to be the offset of ->Buffer field in the\nresponse structure, not a hardcoded magic number.\nFix the remaining call sites to use the correct offsetof() value."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/smb2pdu.c"], "versions": [{"version": "f2283680a80571ca82d710bc6ecd8f8beac67d63", "lessThan": "70b4c414889492c522b6e4331562360f49be2361", "status": "affected", "versionType": "git"}, {"version": "9f297df20d93411c0b4ddad7f88ba04a7cd36e77", "lessThan": "9a7166f0ef8cbb7bb48dd05e2471d995566003f5", "status": "affected", "versionType": "git"}, {"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d", "lessThan": "c3a89e3ec1ccf64fa6a34e391e1581ebbcba8683", "status": "affected", "versionType": "git"}, {"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d", "lessThan": "6aef1765d6807e0f027cd87f6ac973eb0879a46d", "status": "affected", "versionType": "git"}, {"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d", "lessThan": "80824c7e527b70cf9039534e60aff592e8f209d1", "status": "affected", "versionType": "git"}, {"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d", "lessThan": "4cb537ae4f37d7d0f617815ed4bed7173fb50861", "status": "affected", "versionType": "git"}, {"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d", "lessThan": "0e55f63dd08f09651d39e1b709a91705a8a0ddcb", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/smb2pdu.c"], "versions": [{"version": "6.6", "status": "affected"}, {"version": "0", "lessThan": "6.6", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.145", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.71", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/70b4c414889492c522b6e4331562360f49be2361"}, {"url": "https://git.kernel.org/stable/c/9a7166f0ef8cbb7bb48dd05e2471d995566003f5"}, {"url": "https://git.kernel.org/stable/c/c3a89e3ec1ccf64fa6a34e391e1581ebbcba8683"}, {"url": "https://git.kernel.org/stable/c/6aef1765d6807e0f027cd87f6ac973eb0879a46d"}, {"url": "https://git.kernel.org/stable/c/80824c7e527b70cf9039534e60aff592e8f209d1"}, {"url": "https://git.kernel.org/stable/c/4cb537ae4f37d7d0f617815ed4bed7173fb50861"}, {"url": "https://git.kernel.org/stable/c/0e55f63dd08f09651d39e1b709a91705a8a0ddcb"}], "title": "ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "120A3FBD-C86A-46F6-BD23-D862D4C6E574", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.15.145", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6118D40-41D5-46EF-9C28-382159147BC9", "versionEndExcluding": "6.1.168", "versionStartIncluding": "6.1.71", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "3EA624E3-2F2A-4DB3-B19B-6DE1E6D1BEA0", "versionEndExcluding": "6.6.131", "versionStartIncluding": "6.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6", "versionEndExcluding": "6.12.80", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:-:*:*:*:*:*:*", "matchCriteriaId": "E346B162-D566-4E62-ABDE-ECBFB21B8BFD", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()\n\nAfter this commit (e2b76ab8b5c9 \"ksmbd: add support for read compound\"),\nresponse buffer management was changed to use dynamic iov array.\nIn the new design, smb2_calc_max_out_buf_len() expects the second\nargument (hdr2_len) to be the offset of ->Buffer field in the\nresponse structure, not a hardcoded magic number.\nFix the remaining call sites to use the correct offsetof() value."}], "id": "CVE-2026-31478", "lastModified": "2026-04-27T23:23:52.747", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-22T14:16:44.630", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0e55f63dd08f09651d39e1b709a91705a8a0ddcb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4cb537ae4f37d7d0f617815ed4bed7173fb50861"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6aef1765d6807e0f027cd87f6ac973eb0879a46d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/70b4c414889492c522b6e4331562360f49be2361"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/80824c7e527b70cf9039534e60aff592e8f209d1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9a7166f0ef8cbb7bb48dd05e2471d995566003f5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c3a89e3ec1ccf64fa6a34e391e1581ebbcba8683"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()", "id": "2460713", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460713"}, "csaw": false, "cwe": "CWE-131", "details": ["A flaw was found in ksmbd within the Linux kernel. This vulnerability occurs due to an incorrect calculation of the response buffer length in the `smb2_calc_max_out_buf_len()` function. The function used a hardcoded value instead of the proper offset, which could lead to issues in how response buffers are managed."], "name": "CVE-2026-31478", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31478\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31478\nhttps://lore.kernel.org/linux-cve-announce/2026042257-CVE-2026-31478-7be0@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f2283680a80571ca82d710bc6ecd8f8beac67d63,70b4c414889492c522b6e4331562360f49be2361)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[9f297df20d93411c0b4ddad7f88ba04a7cd36e77,9a7166f0ef8cbb7bb48dd05e2471d995566003f5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d,6aef1765d6807e0f027cd87f6ac973eb0879a46d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d,80824c7e527b70cf9039534e60aff592e8f209d1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d,4cb537ae4f37d7d0f617815ed4bed7173fb50861)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d,0e55f63dd08f09651d39e1b709a91705a8a0ddcb)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.6"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.6)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.15.203,5.15.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.1.168,6.1.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.131,6.6.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.80,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.21,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.11,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T15:38:41.331198+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a release that includes commit e2b76ab8b5c9 or later, which corrects the offset calculation in ksmbd.", "If a kernel upgrade is not immediately possible, disable the ksmbd service or unload the SMB module to prevent the vulnerable code from executing.", "Use firewall rules or host\u2011based controls to restrict or block SMB traffic from untrusted networks until the kernel update is applied."], "summary": {"action": "Apply Patch", "impact": "Incorrect buffer size calculation that could lead to memory corruption"}, "threat_synthesis": {"affected_systems": "Linux kernels that include ksmbd without the commit e2b76ab8b5c9 are affected. All distributions running a kernel older than this commit and exposing the ksmbd SMB service are at risk. The issue is architecture independent so any platform that builds ksmbd is impacted.", "description_and_impact": "The ksmbd component in the Linux kernel calculated the maximum output buffer size using a hardcoded header length instead of the correct offset of the response structure\u2019s Buffer field. The fix replaces this magic number with an offset calculation. If the incorrect value was used, the function could underestimate the required buffer size, potentially resulting in an out\u2011of\u2011bounds write and memory corruption. The specific weakness classification is not explicitly provided (NVD-CWE-noinfo).", "risk_and_exploitability": "The CVSS score of 9.8 indicates a critical severity assessment. The EPSS score is below 1%, implying a very low likelihood of observed exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, a remote attacker could exploit the flaw by sending a specially crafted SMB request to a vulnerable ksmbd service, potentially leading to kernel memory corruption. The precise exploitation path is not detailed, so the likelihood of successful exploitation remains uncertain."}}}}, "created": "2026-04-22T18:15:15.252115+00:00", "updated": "2026-04-28T15:45:06.377484+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}