cves
publicly-credited vulnerability disclosures across kernel and userspace targets. each row links to the nvd record and (where available) the lore announcement and original write-up.
- CVE-2026-31706 8.8 HIGH
ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()
Linux kernel - ksmbd (fs/smb/server) [NVD-CWE-noinfo]
ksmbd's smb_inherit_dacl() trusted the on-disk num_aces from a parent directory's stored DACL. A crafted parent DACL could drive smb_inherit_dacl into an out-of-bounds ACE walk, with potential 32-bit allocation-size overflow on the inherited buffer construction.
- CVE-2026-31709 8.8 HIGH
smb: client: validate the whole DACL before rewriting it in cifsacl
Linux kernel - Linux SMB client (fs/smb/client) [NVD-CWE-noinfo]
The Linux SMB client's cifsacl chmod/chown paths trusted server-supplied dacloffset and num_aces fields when rebuilding ACLs locally. A malicious server could provide a DACL whose advertised structure exceeded the actual buffer, causing replace_sids_and_copy_aces() and set_chmod_dacl() to walk past the validated end of the security descriptor.
Client-side counterpart of CVE-2025-21994. Sent 2026-04-16 v1, 2026-04-20 v2; in-thread follow-up KCIFS2_END_OF_DACL_DEBUG2 sent 2026-04-21.
-
ksmbd: require 3 sub-authorities before reading sub_auth[2]
Linux kernel - ksmbd (fs/smb/server) [NVD-CWE-noinfo]
The Linux kernel ksmbd parse_dacl() compared each ACE SID against sid_unix_NFS_mode using only min(num_subauth, 2) sub-authorities. A client SID with num_subauth = 2 could match the NFS-mode SID prefix; reading sub_auth[2] then crossed the end-of-ACL boundary by 4 bytes, applying out-of-band bytes as the file's POSIX mode.
Server-side sister of my client-side patch (sent 2026-04-20 to linux-cifs@). Same bug class in fs/smb/client/cifsacl.c was disclosed first; the direct client-side assignment is CVE-2026-43350.
- CVE-2026-31712 8.3 HIGH
ksmbd: require minimum ACE size in smb_check_perm_dacl()
Linux kernel - ksmbd (fs/smb/server) [CWE-787]
ksmbd's smb_check_perm_dacl() walked Access Control Entries after checking only that the remaining DACL buffer could hold the ACE header. A crafted ACE whose declared size was smaller than the minimum valid layout could pass the loop bounds and drive out-of-bounds reads of access_req and SID fields during a later CREATE permission check.
Patch 3 of the original KIPC_series, later tracked as the companion CVE to CVE-2026-31707 for the ipc_validate_msg() response-size validation patch.
- CVE-2026-31708 8.1 HIGH
smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
Linux kernel - Linux SMB client (fs/smb/client) [CWE-125]
The Linux SMB client's smb2_ioctl_query_info() had two response-copy branches: PASSTHRU_FSCTL was bounds-checked since 2019, but the QUERY_INFO branch never validated qi.input_buffer_length against the on-wire response, allowing a malicious SMB server to drive an out-of-bounds copy on the response buffer tail.
- CVE-2026-43350 7.6 HIGH
smb: client: require a full NFS mode SID before reading mode bits
Linux kernel - SMB client (fs/smb/client)
The Linux kernel SMB client treated an ACE SID matching sid_unix_NFS_mode as an NFS mode SID, then read sub_auth[2] without first requiring the ACE to carry three subauthorities. A malicious SMB server could return a short SID that still matched the prefix and trigger an out-of-bounds read in cifsacl parsing.
Direct client-side KCIFS4 assignment. CVE-2026-31611 remains the related server-side sister-fix for the same SID bound-check pattern.
- CVE-2026-31711 7.5 HIGH
smb: server: fix active_num_conn leak on transport allocation failure
Linux kernel - ksmbd (fs/smb/server) [CWE-401]
ksmbd's transport allocation path leaked the active_num_conn counter when alloc_transport() returned NULL after a successful kernel_accept(). An unauthenticated remote attacker could drive cumulative allocation failures (e.g. via memory pressure) until atomic_inc_return() saturated max_connections, denying service to legitimate SMB clients.
Pre-auth slow remote DoS. Companion to other ksmbd hardening sent in the same week.
- CVE-2002-1809 7.5 HIGH
MySQL Windows binary release default NULL root password
MySQL AB - MySQL Windows binary 3.23.2-3.23.52
The default configuration of the Windows binary release of MySQL 3.23.2 through 3.23.52 has a NULL root password, which could allow remote attackers to gain unauthorized root access to the MySQL database.
PoC published as mysqlfuck.c on Bugtraq.
- CVE-2002-1921 7.5 HIGH
MySQL Windows default bind address allows remote connections
MySQL AB - MySQL Windows 3.20.32-3.23.52
The default configuration of MySQL 3.20.32 through 3.23.52, when running on Windows, does set the bind address to the loopback interface, which allows remote attackers to connect to the database.
Reported in same series as CVE-2002-1809.
- CVE-2002-1923 7.5 HIGH
MySQL Windows default config has logging disabled
MySQL AB - MySQL Windows 3.20.32-3.23.52
The default configuration in MySQL 3.20.32 through 3.23.52, when running on Windows, does not have logging enabled, which could allow remote attackers to conduct activities without detection.
Reported in same series as CVE-2002-1809 and CVE-2002-1921.
- CVE-2026-31707 7.1 HIGH
ksmbd: validate response sizes in ipc_validate_msg()
Linux kernel - ksmbd (fs/smb/server) [CWE-787]
ksmbd's ipc_validate_msg() computed the expected message size for each response type by summing or multiplying attacker-controlled fields from the userspace daemon's response into unsigned int arithmetic. Three response cases could overflow the size computation, leading to under-allocated buffers consumed by downstream parsing.
Patch 1 of the original KIPC_series; this is the cap on response sizes. The companion smb_check_perm_dacl() minimum ACE-size patch is tracked separately as CVE-2026-31712.
- CVE-2026-46114 unscored
RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
Linux kernel - RDMA/rxe (drivers/infiniband/sw/rxe)
The Linux kernel software RoCEv2 RDMA driver (rxe) accepted an ATOMIC_WRITE request whose RETH length was zero, because the length check only compared the packet length against the residual. atomic_write_reply() then unconditionally dereferenced eight bytes at the payload address, so a remote initiator could trigger an out-of-bounds read of kernel memory past the received packet.
Direct assignment for the rxe ATOMIC_WRITE bound-check fix.
- CVE-2026-46123 unscored
Bluetooth: virtio_bt: clamp rx length before skb_put
Linux kernel - Bluetooth virtio_bt (drivers/bluetooth)
The virtio Bluetooth transport called skb_put(skb, len) in virtbt_rx_work() with a length taken directly from the device backend via virtqueue_get_buf(), without validating it against the buffer actually posted to the device. A malicious or buggy virtio backend could supply an oversized length and overflow the receive skb.
First of a two-patch virtio_bt receive-path hardening series; CVE-2026-46186 is the second.
- CVE-2026-46124 unscored
isofs: validate block number from NFS file handle in isofs_export_iget
Linux kernel - isofs (fs/isofs)
The isofs NFS export path passed an attacker-controlled block number from the NFS file handle (ifid->block or ifid->parent_block) to isofs_export_iget(), which only rejected block 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle could drive a read of an out-of-range block on an exported ISO9660 filesystem.
Direct assignment for the isofs NFS file-handle block-number validation fix.
- CVE-2026-46133 unscored
RDMA/rxe: Reject unknown opcodes before ICRC processing
Linux kernel - RDMA/rxe (drivers/infiniband/sw/rxe)
Even after an earlier fix that handled payload_size() underflow for valid opcodes in short packets, the rxe receive path still computed payload_size() for packets carrying an unknown opcode before rejecting them. A single unauthenticated UDP packet could therefore trigger an out-of-bounds read and kernel panic. The fix rejects unknown opcodes before any ICRC or length processing.
Distinct from CVE-2026-46114; this is the unknown-opcode receive-path fix in rxe_recv.
- CVE-2026-46186 unscored
Bluetooth: virtio_bt: validate rx pkt_type header length
Linux kernel - Bluetooth virtio_bt (drivers/bluetooth)
The virtio Bluetooth transport read the leading pkt_type byte from a received skb and forwarded the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload met the fixed HCI header length for that type. After the length of the backend-supplied buffer is bounded, a one-byte completion could still reach hci_recv_frame() with an undersized buffer.
Second of a two-patch virtio_bt receive-path hardening series; CVE-2026-46123 is the first.
- CVE-2026-46193 unscored
xfrm: ah: account for ESN high bits in async callbacks
Linux kernel - xfrm AH (net/ipv4, net/ipv6)
When ESN was enabled, the IPsec AH async hash setup appended a 4-byte sequence-high slot before the ICV or auth-data area, but the async completion callbacks reconstructed the temporary layout as if that slot were absent. With an async AH implementation selected, AH copied or compared the wrong bytes on both the IPv4 and IPv6 paths, corrupting authentication handling.
Direct assignment for the AH ESN async-callback layout fix across the IPv4 and IPv6 AH paths.
- CVE-2026-46195 unscored
smb: client: validate dacloffset before building DACL pointers
Linux kernel - SMB client (fs/smb/client)
The Linux kernel SMB client added a server-supplied DACL offset to the security-descriptor base before proving that a DACL header fit within the returned descriptor. On 32-bit builds a malicious server could supply an offset near the 4 GiB boundary, wrap the derived DACL pointer below the end of the ACL, and bypass the later pointer-based bounds checks in parse_sec_desc(), build_sec_desc(), and the chown path of id_mode_to_cifs_acl().
Continues the cifsacl bound-check hardening line (cf. CVE-2026-43350); adds the dacloffset wrap check for 32-bit builds.