APPLIED[N:HWE-6.17/J]/Cmnt: [SRU][Q/J][PATCH 0/2] CVE-2026-31705

Stefan Bader stefan.bader at canonical.com
Tue Jul 14 14:40:09 UTC 2026


On 23/06/2026 05:46, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-31705
> 
> [ Impact ]
> 
> smb2_get_ea() in ksmbd applies 4-byte alignment padding via memset() after
> writing each EA entry, but the bounds check on buf_free_len is performed before
> the value memcpy while the alignment memset fires unconditionally with no check
> on remaining space. When an EA value exactly fills the remaining buffer, the
> alignment memset writes 1-3 NUL bytes past the buf_free_len boundary, and in
> compound requests where the response buffer is shared across commands this
> overwrites past the physical kvmalloc allocation into adjacent kernel heap
> memory. With a CVSS score of 9.8, this out-of-bounds write is remotely
> triggerable and can corrupt kernel memory, potentially leading to denial of
> service or further compromise.
> 
> [ Fix ]
> 
> questing: clean cherry-pick
> jammy: clean cherry-pick
> 
> [ Test Plan ]
> 
> Boot tested.
> 
> [ Where Problems Could Occur ]
> 
> A regression in this fix could affect the ksmbd SMB2 server's QUERY_INFO EA
> response handling, potentially causing valid EA queries to be truncated or
> rejected. Any error in the added bounds check could affect clients retrieving
> extended attributes over SMB.
> 


Applied to noble:linux-hwe-6.17/hwe-6.17-next and 
jammy:linux/master-next. Questing is EOL. Thanks.

-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/2ffd9a0f/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/2ffd9a0f/attachment-0001.sig>


More information about the kernel-team mailing list