CVE-2026-31708

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB read in smb2ioctlqueryinfo QUERYINFO path smb2ioctlqueryinfo has two response-copy branches: PASSTHRUFSCTL and the default QUERYINFO path. The QUERYINFO branch clamps qi.inputbufferlength to the server-report...

EUVD-2026-26521

In the Linux kernel, the following vulnerability has been resolved: ksmbd: require minimum ACE size in smbcheckpermdacl Both ACE-walk loops in smbcheckpermdacl only guard against an under-sized remaining buffer, not against an ACE whose declared ace-size is smaller than the struct it claims to...

EUVD-2026-26520

In the Linux kernel, the following vulnerability has been resolved: smb: server: fix activenumconn leak on transport allocation failure Commit 77ffbcac4e56 "smb: server: fix leak of activenumconn in ksmbdtcpnewconnection" addressed the kthreadrun failure path. The earlier alloctransport == NULL...

CVE-2026-31708

CVE-2026-31708 affects the Linux kernel SMB client. The issue occurs in smb2_ioctl_query_info() where, in the QUERY_INFO path, qi.input_buffer_length is clamped to the server’s OutputBufferLength and copied from qi_rsp->Buffer to userspace without verifying that the payload fits within rsp_iov...

EUVD-2026-26514

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out-of-bounds write in smb2getea EA alignment smb2getea applies 4-byte alignment padding via memset after writing each EA entry. The bounds check on buffreelen is performed before the value memcpy, but the alignment...

PT-2026-36338

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An out-of-bounds read exists in the smb2 ioctl query info function within the QUERY INFO path. The function clamps qi.input buffer length to the server-reported OutputBufferLength and...

CVE-2026-5407

SMB2 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service...

CVE-2026-5407

Wireshark SA SMB2 protocol dissector has an infinite loop vulnerability affecting Wireshark 4.6.0–4.6.4 and 4.4.0–4.4.14, which can lead to denial of service. Root cause: an infinite loop caused by an unreachable exit path in the SMB2 dissector. Affected component is the SMB2 protocol dissector w...

CVE-2026-6867

SMB2 protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service...

ksmbd: validate EaNameLength in smb2_get_ea()

...

DEBIAN-CVE-2026-31612

In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate EaNameLength in smb2getea smb2getea reads eareq-EaNameLength from the client request and passes it directly to strncmp as the comparison length without verifying that the length of the name really is the size of t...

ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()

...

CVE-2026-31477

In CVE-2026-31477, the Linux kernel ksmbd component smb2_lock() had three error-handling issues after detaching smb_lock from lock_list: (1) non-UNLOCK path leaks smb_lock and its flock when vfs_lock_file() returns an unexpected error, (2) UNLOCK path leaks on -ENOENT with stale error code, and (...

EUVD-2026-24641

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potencial OOB in getfileallinfo for compound requests When a compound request consists of QUERYDIRECTORY + QUERYINFO FILEALLINFORMATION and the first command consumes nearly the entire maxtranssize, getfileallinfo woul...

CVE-2026-4149 Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability

Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos Era 300. Authentication is not required to exploit this vulnerability. The specific flaw exists within the...

CVE-2026-23427

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in durable v2 replay of active file handles parsedurablehandlecontext unconditionally assigns dhinfo-fp-conn to the current connection when handling a DURABLEREQV2 context with SMB2FLAGSREPLAYOPERATION...

CVE-2026-33682 Streamlit on Windows has Unauthenticated SSRF Vulnerability (NTLM Credential Exposure)

Streamlit is a data oriented application development framework for python. Streamlit Open Source versions prior to 1.54.0 running on Windows hosts have an unauthenticated Server-Side Request Forgery SSRF vulnerability. The vulnerability arises from improper validation of attacker-supplied...

SUSE CVE-2026-23282

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix oops due to uninitialised var in smb2unlink If SMB2openinit or SMB2closeinit fails e.g. reconnect, the iovs set @rqst will be left uninitialised, hence calling SMB2openfree, SMB2closefree or smb2setrelated on the...

SUSE-SU-2026:20896-1 Security update for the Linux Kernel RT (Live Patch 10 for SUSE Linux Enterprise Micro 6.0)

This update for the SUSE Linux Enterprise Kernel 6.4.0-34.1 fixes various security issues The following security issues were fixed: - CVE-2025-38488: smb: client: fix use-after-free in cryptmessage when using async crypto bsc1247240. - CVE-2025-40258: mptcp: fix race condition in mptcpschedulewor...

Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos Era 300. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the DataOffset field within SMB responses. The issue results from the lack...