{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/ksmbd/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-31478"}],"_cs_exploited":false,"_cs_products":["ksmbd"],"_cs_severities":["high"],"_cs_tags":["cve","ksmbd","smb","memory-corruption"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-31478 is a security vulnerability within Microsoft\u0026rsquo;s ksmbd, a kernel-based SMB server. The vulnerability arises from an error in the \u003ccode\u003esmb2_calc_max_out_buf_len()\u003c/code\u003e function where a hardcoded value for \u003ccode\u003ehdr2_len\u003c/code\u003e is used instead of calculating it dynamically using \u003ccode\u003eoffsetof()\u003c/code\u003e. While specific exploitation details are not provided in the source, the incorrect buffer calculation could lead to memory corruption or other unexpected behavior, potentially allowing a remote attacker to cause a denial-of-service condition or, in a more severe scenario, execute arbitrary code on the affected system. The vulnerability was disclosed on 2026-04-23 as part of a Microsoft Security Update.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to the limited information available, the following attack chain is based on the potential exploitation of a memory corruption vulnerability resulting from an incorrect buffer length calculation.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable ksmbd server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SMBv2 request specifically designed to trigger the flawed \u003ccode\u003esmb2_calc_max_out_buf_len()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003esmb2_calc_max_out_buf_len()\u003c/code\u003e function is called to calculate the maximum output buffer length for the response to the malicious request, it uses an incorrect value for \u003ccode\u003ehdr2_len\u003c/code\u003e due to the hardcoded value.\u003c/li\u003e\n\u003cli\u003eThis incorrect calculation leads to the allocation of an undersized buffer.\u003c/li\u003e\n\u003cli\u003eThe server attempts to write data exceeding the allocated buffer size into the undersized buffer.\u003c/li\u003e\n\u003cli\u003eThis buffer overflow corrupts adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eDepending on the corrupted data, the server may crash (denial-of-service), or the attacker may gain control of execution flow (remote code execution).\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the server, potentially leading to data exfiltration, system compromise, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31478 can lead to a denial-of-service condition, disrupting file sharing services provided by the ksmbd server. In a more severe scenario, an attacker could achieve remote code execution, allowing them to gain control of the affected system. This could lead to data breaches, system compromise, and further propagation of malicious activity within the network. The impact will vary depending on the privileges of the ksmbd service account and the data stored on the affected system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-31478 on all systems running vulnerable versions of ksmbd (Microsoft Security Update Guide).\u003c/li\u003e\n\u003cli\u003eEnable SMB auditing to detect suspicious SMB activity, which could be indicative of exploitation attempts (Windows event logs).\u003c/li\u003e\n\u003cli\u003eDeploy network intrusion detection systems (IDS) to monitor SMB traffic for anomalous patterns associated with exploit attempts (Network traffic).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T07:33:28Z","date_published":"2026-04-23T07:33:28Z","id":"/briefs/2024-01-ksmbd-cve-2026-31478/","summary":"CVE-2026-31478 is a vulnerability in Microsoft's ksmbd implementation related to incorrect calculation of maximum output buffer length, potentially leading to a denial-of-service or remote code execution.","title":"CVE-2026-31478 Vulnerability in Microsoft ksmbd","url":"https://feed.craftedsignal.io/briefs/2024-01-ksmbd-cve-2026-31478/"}],"language":"en","title":"CraftedSignal Threat Feed — Ksmbd","version":"https://jsonfeed.org/version/1.1"}