{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dacl/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":5.5,"id":"CVE-2026-31704"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["ksmbd","dacl","overflow","denial of service","privilege escalation"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-31704 is a security vulnerability affecting ksmbd, a Linux kernel implementation of the SMB/CIFS protocol. The vulnerability stems from an improper check when calculating the size of a Discretionary Access Control List (DACL). Specifically, the \u003ccode\u003echeck_add_overflow()\u003c/code\u003e function is used to prevent a \u003ccode\u003eu16\u003c/code\u003e DACL size overflow. If this check is insufficient or improperly implemented, it could lead to an integer overflow, potentially resulting in a buffer overflow or other memory corruption issues. This could allow an attacker to cause a denial-of-service condition by crashing the ksmbd service, or potentially execute arbitrary code with elevated privileges on the affected system. The vulnerability was disclosed on May 19, 2026, as part of a Microsoft Security Response Center advisory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a specially crafted SMB request to a server running a vulnerable version of ksmbd.\u003c/li\u003e\n\u003cli\u003eThe SMB request contains a DACL with a size designed to trigger an integer overflow when processed.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003echeck_add_overflow()\u003c/code\u003e function fails to properly prevent the overflow during the DACL size calculation.\u003c/li\u003e\n\u003cli\u003eThe incorrect DACL size is used to allocate memory for the DACL.\u003c/li\u003e\n\u003cli\u003eThe subsequent write to the undersized memory buffer results in a buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe overflow corrupts adjacent memory regions, potentially including critical kernel data structures.\u003c/li\u003e\n\u003cli\u003eThe corrupted data structures lead to a denial-of-service condition when the ksmbd service attempts to access them.\u003c/li\u003e\n\u003cli\u003eIn a more sophisticated attack, the attacker may be able to control the overflow to overwrite specific kernel code or data, leading to arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31704 can lead to a denial-of-service condition, disrupting file sharing services provided by ksmbd. In a more severe scenario, an attacker could leverage the vulnerability to gain unauthorized access to the system, potentially escalating privileges to root. The specific impact depends on the configuration of the ksmbd service and the extent to which the attacker can control the memory overflow.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-31704 to mitigate the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor systems running ksmbd for unusual SMB traffic patterns, especially requests with abnormally large DACLs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious KSMBD DACL Size\u0026rdquo; to detect potentially malicious SMB requests attempting to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eReview and harden access control policies for SMB shares to minimize the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T07:12:53Z","date_published":"2026-05-19T07:12:53Z","id":"https://feed.craftedsignal.io/briefs/2026-05-ksmbd-dacl-overflow/","summary":"CVE-2026-31704 is a vulnerability in ksmbd related to the use of check_add_overflow() to prevent a u16 DACL size overflow, potentially leading to denial of service or privilege escalation.","title":"CVE-2026-31704 ksmbd u16 DACL Size Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-ksmbd-dacl-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Dacl","version":"https://jsonfeed.org/version/1.1"}