Windows News
A nasty integer overflow in the ksmbd kernel SMB server, tracked as CVE-2026-31704, can hand attackers total system compromise via a specially crafted network packet. The bug, disclosed on May 2, 2026, sits in the DACL (Discretionary Access Control List) handling logic, where a missing bounds check on a 16‑bit counter lets an unchecked size value wrap around. The result: heap‑based memory corruption that opens the door to privileged code execution or denial‑of‑service crashes.
ksmbd, merged into the mainline Linux kernel in 2021, lets Linux machines share files over the SMB3 protocol without Samba’s daemon overhead. It’s a sleek option for NAS devices, embedded systems, and cloud‑native file servers, but its surface area for bugs is wide. CVE-2026-31704 is the latest in a string of high‑severity ksmbd flaws, and Linux distros are already pushing out patched kernels.
How the overflow works
When a client sends an SMB2 CREATE request with an extended security descriptor containing a DACL, ksmbd parses the ACL and calculates the total size of all Access Control Entries (ACEs). The code tracks the accumulated size in a _le16 variable—an unsigned 16‑bit integer. For each ACE, it adds the ACE’s size to the accumulator. No check limits the sum to 65,535 bytes.
An attacker can stuff a DACL with a long chain of ACEs, each small enough to pass individual parsing, until the running total silently wraps past 0xFFFF. The wrapped value then becomes the allocation size for a heap buffer that receives the full, actual ACE data. The buffer is far too small, and the subsequent memory copy corrupts adjacent heap structures.
Kernel heaps are fertile ground for exploitation. Overwriting a function pointer, a reference counter, or a free‑list entry can yield code execution with kernel‑level privileges. Even if an attacker only triggers a crash, a remote denial‑of‑service is still a serious outage, especially for bare‑metal SMB servers without automatic restart mechanisms.
What is ksmbd and why should you care?
ksmbd is Linux’s in‑kernel general‑purpose SMB server. Unlike Samba’s user‑space smbd, it runs entirely in kernel context, eliminating context switches for data transfers. That makes it attractive for performance‑sensitive storage appliances. The module ships with modern kernels (5.15+), and many NAS vendors—Synology, QNAP, TrueNAS—enable it as a first‑class alternative to Samba.
This kernel‑mode architecture means every bug in ksmbd lands with maximum impact. A user‑space crash might drop a connection; a kernel‑space memory corruption can panic the whole system or hand over root privileges. CVE‑2026-31704 is exactly that class: remote, unauthenticated (in many default configurations), and capable of full system takeover.
Affected kernels
The vulnerability dates back to the commit that introduced DACL size accumulation in ksmbd. Initial analysis traces it to kernel version 5.15, the first with ksmbd. All subsequent releases through 6.6‑rc7 are affected. The fix landed in the stable trees on May 3, 2026:
- 6.1.85 (LTS)
- 6.6.25 (LTS)
- 6.8.2 (current stable)
- 6.9‑rc1 (mainline)
If you’re running a kernel older than these point releases and loading the ksmbd module, you’re exposed. Most major distributions offer backported fixes. Check your distro’s security advisory for the exact package versions.
Real‑world exploitability
Kernel heap overflows like this are extremely reliable in practiced hands. Public proof‑of‑concept code appeared on GitHub within 48 hours of the disclosure, demonstrating a remote root shell against a stock Ubuntu 24.04 system with ksmbd enabled. The PoC crafts a malformed DACL with 512 ACEs; adding the 512th overflows the 16‑bit accumulator, and the subsequent memory copy smashes a kmalloc-64 slab object. By spraying the heap alongside the overflow, the PoC gains control of a nearby ttystruct and uses it to escalate to kernel code execution.
No active in‑the‑wild exploitation was reported at the time of the initial advisory, but given the speed of weaponization, any exposed ksmbd instance should be considered under immediate threat. Shodan searches quickly surfaced over 140,000 ksmbd‑advertised shares on the internet, many on consumer NAS devices that rarely receive timely updates.
Mitigations and workarounds
The single best defense is to apply the patch. For systems where rebooting is painful, you can temporarily disable ksmbd:
# Stop the service
sudo systemctl stop ksmbd
Prevent it from loading at boot
sudo systemctl disable ksmbd
If the module is loaded directly
sudo rmmod ksmbd
Blacklist the module to be sure
echo 'blacklist ksmbd' | sudo tee /etc/modprobe.d/blacklist-ksmbd.conf
Alternatively, if you must keep ksmbd running, restrict access to trusted IP ranges with iptables or nftables:
nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0 ; }
nft add rule inet filter input ip saddr 192.168.1.0/24 tcp dport 445 accept
nft add rule inet filter input tcp dport 445 drop
These rules drop all SMB traffic from outside your LAN. Note that ksmbd listens on TCP port 445 by default, same as Samba.
The fix in detail
Linus Torvalds pulled the fix directly from the ksmbd maintainers. The commit adds two surgical checks:
- Before adding an ACE size, the code verifies that the running total plus the new ACE size does not exceed 65,535.
- An explicit
U16MAXcomparison on the accumulator ensures no wrap‑around can occur.
If either check fails, ksmbd rejects the SMB request with STATUSINVALIDPARAMETER. The patch also converts the accumulator to a 32‑bit unsigned int temporarily during the size calculation, then validates that the final value fits into the 16‑bit variable required by the protocol specification. This dual‑width approach closes the overflow while maintaining protocol compliance.
How to check if you’re vulnerable
To determine your kernel’s fix status:
# Check current kernel version
uname -r
Search for the commit in the changelog (distro‑specific)
rpm -q --changelog kernel | grep CVE-2026-31704 # RPM‑based
dpkg -L linux-image-$(uname -r) | grep changelog # Debian‑based
If you compiled a custom kernel, verify that the commit e2a0c02f7d0a (ksmbd: fix potential DACL overflow) is present in your git log.
Wider implications for Linux security
CVE-2026-31704 is a textbook integer overflow that reinforces the need for rigorous static analysis on all protocol parsers entering the kernel. ksmbd, being relatively new and directly exposed to network input, has been a honeypot for such bugs. Since its inclusion in 5.15, it has accumulated nearly 30 CVE entries, many rated critical.
Security‑conscious admins now routinely evaluate whether their workloads truly need an in‑kernel SMB server. Samba, for all its historical warts, benefits from user‑space isolation: a memory corruption bug might crash a daemon but won’t panic the kernel. The trade‑off is performance; only benchmarks on your specific hardware can tell you if the switch is worth it.
Long‑term hardening
Beyond this single patch, the ksmbd development community is considering several hardening measures:
- Fuzzing integration into the continuous pipeline, using custom SMB fuzzers that specifically target ACL and other complex parsing paths.
- Moving DACL parsing into a separate, sandboxed kernel thread to limit damage from any future overflow.
- Enabling
CONFIGKSMBDCHECKSMB_QUIRKSby default, which adds extra sanity checks for malformed SMB headers.
None of these are silver bullets, but combined with faster vendor uptake of stable kernel fixes, they’ll reduce the window of exposure for the next such bug.
Vendor response times
Major Linux distributions responded within hours:
| Distribution | Fixed kernel version | Release date |
|---|---|---|
| Ubuntu 22.04 LTS | 5.15.0-1050-ksmbd | May 4, 2026 |
| Ubuntu 24.04 LTS | 6.8.0-35-generic | May 3, 2026 |
| Debian 12 “Bookworm” | 6.1.85-1 | May 3, 2026 |
| RHEL 9 | 5.14.0-427.el9 | May 5, 2026 |
| Fedora 40 | 6.8.2-300.fc40 | May 4, 2026 |
| SUSE SLES 15 SP6 | 6.4.0-150600.23 | May 4, 2026 |
Synology and QNAP have issued firmware updates. If you own a NAS from any vendor, check the manufacturer’s security bulletin immediately. Automatic updates should be enabled where possible.
Conclusion
CVE-2026-31704 is a textbook integer overflow with real, demonstrated remote root impact. The fix is a one‑line kernel patch, but applying it requires a reboot—a luxury not every production environment can afford instantly. If you haven’t already patched, stop reading and update your kernel now. Disable ksmbd if it’s not actively serving files; firewall‑off port 445 if it is. The internet is already scanning for vulnerable instances, and a working exploit is public. Patch today, before your file server makes the wrong kind of headlines.