{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ksmbd/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-31478"}],"_cs_exploited":false,"_cs_products":["ksmbd"],"_cs_severities":["high"],"_cs_tags":["cve","ksmbd","smb","memory-corruption"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-31478 is a security vulnerability within Microsoft\u0026rsquo;s ksmbd, a kernel-based SMB server. The vulnerability arises from an error in the \u003ccode\u003esmb2_calc_max_out_buf_len()\u003c/code\u003e function where a hardcoded value for \u003ccode\u003ehdr2_len\u003c/code\u003e is used instead of calculating it dynamically using \u003ccode\u003eoffsetof()\u003c/code\u003e. While specific exploitation details are not provided in the source, the incorrect buffer calculation could lead to memory corruption or other unexpected behavior, potentially allowing a remote attacker to cause a denial-of-service condition or, in a more severe scenario, execute arbitrary code on the affected system. The vulnerability was disclosed on 2026-04-23 as part of a Microsoft Security Update.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to the limited information available, the following attack chain is based on the potential exploitation of a memory corruption vulnerability resulting from an incorrect buffer length calculation.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable ksmbd server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SMBv2 request specifically designed to trigger the flawed \u003ccode\u003esmb2_calc_max_out_buf_len()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003esmb2_calc_max_out_buf_len()\u003c/code\u003e function is called to calculate the maximum output buffer length for the response to the malicious request, it uses an incorrect value for \u003ccode\u003ehdr2_len\u003c/code\u003e due to the hardcoded value.\u003c/li\u003e\n\u003cli\u003eThis incorrect calculation leads to the allocation of an undersized buffer.\u003c/li\u003e\n\u003cli\u003eThe server attempts to write data exceeding the allocated buffer size into the undersized buffer.\u003c/li\u003e\n\u003cli\u003eThis buffer overflow corrupts adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eDepending on the corrupted data, the server may crash (denial-of-service), or the attacker may gain control of execution flow (remote code execution).\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the server, potentially leading to data exfiltration, system compromise, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31478 can lead to a denial-of-service condition, disrupting file sharing services provided by the ksmbd server. In a more severe scenario, an attacker could achieve remote code execution, allowing them to gain control of the affected system. This could lead to data breaches, system compromise, and further propagation of malicious activity within the network. The impact will vary depending on the privileges of the ksmbd service account and the data stored on the affected system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-31478 on all systems running vulnerable versions of ksmbd (Microsoft Security Update Guide).\u003c/li\u003e\n\u003cli\u003eEnable SMB auditing to detect suspicious SMB activity, which could be indicative of exploitation attempts (Windows event logs).\u003c/li\u003e\n\u003cli\u003eDeploy network intrusion detection systems (IDS) to monitor SMB traffic for anomalous patterns associated with exploit attempts (Network traffic).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T07:33:28Z","date_published":"2026-04-23T07:33:28Z","id":"/briefs/2024-01-ksmbd-cve-2026-31478/","summary":"CVE-2026-31478 is a vulnerability in Microsoft's ksmbd implementation related to incorrect calculation of maximum output buffer length, potentially leading to a denial-of-service or remote code execution.","title":"CVE-2026-31478 Vulnerability in Microsoft ksmbd","url":"https://feed.craftedsignal.io/briefs/2024-01-ksmbd-cve-2026-31478/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-31611"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-31611","ksmbd","smb","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-31611 is a newly disclosed security vulnerability affecting ksmbd, a kernel-based SMB server. The vulnerability stems from insufficient validation of sub-authorities within the ksmbd code, specifically requiring at least three sub-authorities before reading sub_auth[2]. While the exact exploitation details remain undisclosed in the initial advisory, the nature of the flaw suggests a potential for memory corruption or out-of-bounds read, which could be leveraged by attackers to achieve unauthorized access or potentially execute arbitrary code within the context of the ksmbd kernel module. This vulnerability poses a significant risk to systems utilizing ksmbd for file sharing, particularly if exposed to untrusted networks. The initial publication of the CVE was on 2026-04-26, but this brief serves as an early warning for detection engineers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eSince the specific exploitation details of CVE-2026-31611 are not yet publicly available, the following attack chain is a hypothetical scenario based on the nature of the vulnerability:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target system running a vulnerable version of ksmbd.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SMB request specifically designed to trigger the sub-authority validation flaw.\u003c/li\u003e\n\u003cli\u003eThe SMB request is sent to the target system\u0026rsquo;s ksmbd service over port 445.\u003c/li\u003e\n\u003cli\u003eThe ksmbd service receives the malicious request and processes the sub-authority data.\u003c/li\u003e\n\u003cli\u003eDue to the insufficient validation, the code attempts to read \u003ccode\u003esub_auth[2]\u003c/code\u003e without ensuring at least three sub-authorities are present.\u003c/li\u003e\n\u003cli\u003eThis leads to an out-of-bounds read, potentially leaking sensitive information or causing a crash.\u003c/li\u003e\n\u003cli\u003eAn attacker might be able to leverage this out-of-bounds read to overwrite memory, potentially leading to arbitrary code execution within the kernel.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation could grant the attacker elevated privileges on the system, enabling them to install malware, exfiltrate data, or disrupt services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31611 could allow an attacker to gain unauthorized access to sensitive data, execute arbitrary code within the kernel, and potentially compromise the entire system. The impact is particularly severe for systems acting as file servers, as they often hold critical data and are relied upon by multiple users. While the number of potential victims is currently unknown, any system running a vulnerable version of ksmbd is at risk. This could lead to data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for SMB requests that may be attempting to exploit the vulnerability, using a network intrusion detection system (NIDS) or firewall logs. Analyze SMB requests for unusual patterns or malformed sub-authority data (network_connection).\u003c/li\u003e\n\u003cli\u003eImplement detections for unusual process execution originating from the ksmbd process, as successful exploitation could lead to arbitrary code execution (process_creation).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential exploitation attempts based on suspicious SMB activity (rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-cve-2026-31611-ksmbd/","summary":"CVE-2026-31611 is a vulnerability in ksmbd, requiring at least three sub-authorities before reading sub_auth[2], potentially leading to unauthorized access or code execution.","title":"CVE-2026-31611: ksmbd Sub-Authority Validation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-31611-ksmbd/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-31432"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ksmbd","smb","out-of-bounds write","cve-2026-31432"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-31432 is a critical vulnerability affecting the ksmbd server, a Linux kernel implementation of the SMB/CIFS protocol. The vulnerability is an out-of-bounds write that occurs when processing QUERY_INFO requests within compound SMB requests. An attacker could exploit this vulnerability by sending a specially crafted SMB request to a vulnerable ksmbd server. Successful exploitation could lead to arbitrary code execution in the context of the kernel or a denial-of-service condition. As a kernel-level vulnerability, exploitation can have severe consequences for system stability and security. The vulnerability highlights the ongoing challenges of ensuring the security of complex network protocols implemented within the kernel.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a ksmbd server exposed on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SMB compound request containing a malformed QUERY_INFO request.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted SMB request to the targeted ksmbd server.\u003c/li\u003e\n\u003cli\u003eThe ksmbd server processes the request, triggering the out-of-bounds write in the QUERY_INFO handling routine.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds write corrupts adjacent kernel memory.\u003c/li\u003e\n\u003cli\u003eDepending on the overwritten memory, the system may crash, leading to a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eAlternatively, an attacker may carefully craft the payload to overwrite specific kernel structures, potentially leading to arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eSuccessful code execution allows the attacker to gain complete control over the affected system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31432 could lead to a complete compromise of the affected system. An attacker could gain the ability to execute arbitrary code within the kernel, leading to data theft, system corruption, or the installation of rootkits. In less severe cases, exploitation could result in a denial-of-service condition, disrupting critical services. Given the potential for remote code execution, this vulnerability poses a significant risk to any system running a vulnerable version of ksmbd.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-31432 as soon as possible (reference: \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31432)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31432)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious SMBv1 Negotiation\u003c/code\u003e to identify potentially malicious SMB traffic patterns (reference: rule \u003ccode\u003eDetect Suspicious SMBv1 Negotiation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for SMB requests originating from unexpected sources or containing unusual parameters (reference: Attack Chain Step 2).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a successful exploit (reference: Attack Chain Step 1).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-23-ksmbd-oob-write/","summary":"CVE-2026-31432 is a critical out-of-bounds write vulnerability in ksmbd, specifically within the QUERY_INFO functionality when handling compound requests, potentially leading to code execution or denial of service.","title":"ksmbd Out-of-Bounds Write Vulnerability in QUERY_INFO (CVE-2026-31432)","url":"https://feed.craftedsignal.io/briefs/2024-01-23-ksmbd-oob-write/"}],"language":"en","title":"CraftedSignal Threat Feed — Ksmbd","version":"https://jsonfeed.org/version/1.1"}