Is CVE-2026-31712 in the CISA KEV catalog?

No. CVE-2026-31712 is not currently on the CISA Known Exploited Vulnerabilities list.

What is the CVSS severity of CVE-2026-31712?

CVE-2026-31712 has a CVSS v3 base score of 8.3 (Important).

What is the EPSS score for CVE-2026-31712?

CVE-2026-31712 has an EPSS score of 0.32% (23th percentile), estimating the probability of exploitation in the next 30 days.

CVE & CISA-KEV Catalog

CVE-2026-31712

HIGH

8.3

CVSS v3

NVD

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: require minimum ACE size in smb_check_perm_dacl() Both ACE-walk loops in smb_check_perm_dacl() only guard against an under-sized remaining buffer, not against an ACE whose declared `ace->size` is smaller than the struct it claims to describe: if (offsetof(struct smb_ace, access_req) > aces_size) break; ace_size = le16_to_cpu(ace->size); if (ace_size > aces_size) break; The first check only requires the 4-byte ACE header to be in bounds; it does not require access_req (4 bytes at offset 4) to be readable. An attacker who has set a crafted DACL on a file they own can declare ace->size == 4 with aces_size == 4, pass both checks, and then granted |= le32_to_cpu(ace->access_req); /* upper loop */ compare_sids(&sid, &ace->sid); /* lower loop */ reads access_req at offset 4 (OOB by up to 4 bytes) and ace->sid at offset 8 (OOB by up to CIFS_SID_BASE_SIZE + SID_MAX_SUB_AUTHORITIES * 4 bytes). Tighten both loops to require ace_size >= offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE which is the smallest valid on-wire ACE layout (4-byte header + 4-byte access_req + 8-byte sid base with zero sub-auths). Also reject ACEs whose sid.num_subauth exceeds SID_MAX_SUB_AUTHORITIES before letting compare_sids() dereference sub_auth[] entries. parse_sec_desc() already enforces an equivalent check (lines 441-448); smb_check_perm_dacl() simply grew weaker validation over time. Reachability: authenticated SMB client with permission to set an ACL on a file. On a subsequent CREATE against that file, the kernel walks the stored DACL via smb_check_perm_dacl() and triggers the OOB read. Not pre-auth, and the OOB read is not reflected to the attacker, but KASAN reports and kernel state corruption are possible.

CWE-787Out-of-bounds Write

CVSS v3 Vector

Exploitability

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionNone

ScopeUnchanged

Impact

ConfidentialityHigh

IntegrityLow

AvailabilityHigh

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H

Exploit Intelligence

0.32%probability of exploitation in 30 days

23rdpercentile

Low risk: more likely to be exploited than 23% of all known CVEs.

References

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-06-19.