CVE-2026-31614

Advisory lineage Upstream: 0 Downstream: 5

Downstream

DEBIAN-CVE-2026-31614 OPENSUSE-SU-2026:10703-1 SUSE-SU-2026:22048-1 SUSE-SU-2026:2310-1 UBUNTU-CVE-2026-31614

Analyzed

Published: 24 Apr 2026, 14:42

Last modified:14 Jun 2026, 17:42

Vulnerability Summary

Overall Risk (default)

medium

28/100

CVSS Score

7.1 HIGH

v3.1 (nvd)

EPSS Score

0.13% LOW

0% probability +0.11%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

24 Apr 2026, 14:42

Published

Vulnerability first disclosed

14 Jun 2026, 17:42

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix off-by-8 bounds check in check_wsl_eas() The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but ea_data sits at offset sizeof(struct smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp() later reads ea->ea_data[0..nlen-1] and the value bytes follow at ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1 + vlen. Isn't pointer math fun? The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the 8-byte header is in bounds, but since the last EA is placed within 8 bytes of the end of the response, the name and value bytes are read past the end of iov. Fix this mess all up by using ea->ea_data as the base for the bounds check. An "untrusted" server can use this to leak up to 8 bytes of kernel heap into the EA name comparison and influence which WSL xattr the data is interpreted as.

CVSS Metrics

v3.1•HIGH•Score: 7.1CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS Trends

Current EPSS score: 0.13%• Percentile: 3%

Techniques & Countermeasures

CWE-125•Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.

Affected Systems

linux•linux
≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 5cc0574c84aa73946ade587c41e81757b8b01cb5 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < b2b76d09a64c538c57006180103fc1841e8cfa66 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < ba3ad159aa61810bbe0acaf39578b1ebfb6f1a18 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < a893f1757d9a4009e4a8d7ceb2312142fe29cea4 | 7449d736bbbd160c76b01b8fcdf72f58a8757d4b | ≥ 7449d736bbbd160c76b01b8fcdf72f58a8757d4b, < bfbc74df8bbe095b3ed68f6d4487b368af087890 | ≥ ea41367b2a602f602ea6594fc4a310520dcc64f4, < 5cc0574c84aa73946ade587c41e81757b8b01cb5 | ≥ ea41367b2a602f602ea6594fc4a310520dcc64f4, < b2b76d09a64c538c57006180103fc1841e8cfa66 | ≥ ea41367b2a602f602ea6594fc4a310520dcc64f4, < ba3ad159aa61810bbe0acaf39578b1ebfb6f1a18 | ≥ ea41367b2a602f602ea6594fc4a310520dcc64f4, < a893f1757d9a4009e4a8d7ceb2312142fe29cea4 | ≥ ea41367b2a602f602ea6594fc4a310520dcc64f4, < 3d8b9d06bd3ac4c6846f5498800b0f5f8062e53b | ≥ 6.6.32, < 6.6.136 | 6.9
linux•linux_kernel
≥ 6.6.32, < 6.6.136 | ≥ 6.9, < 6.12.83 | ≥ 6.13, < 6.18.24 | ≥ 6.19, < 6.19.14 | ≥ 7.0, < 7.0.1