cves

publicly-credited vulnerability disclosures across kernel and userspace targets. each row links to the nvd record and (where available) the lore announcement and original write-up.

2026

• CVE-2026-31708 8.1 HIGH

  smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path

  Linux kernel - Linux SMB client (fs/smb/client) [CWE-125]

  The Linux SMB client's smb2_ioctl_query_info() had two response-copy branches: PASSTHRU_FSCTL was bounds-checked since 2019, but the QUERY_INFO branch never validated qi.input_buffer_length against the on-wire response, allowing a malicious SMB server to drive an out-of-bounds copy on the response buffer tail.

  [lore announcement]
• CVE-2026-31706 8.8 HIGH

  ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()

  Linux kernel - ksmbd (fs/smb/server) [NVD-CWE-noinfo]

  ksmbd's smb_inherit_dacl() trusted the on-disk num_aces from a parent directory's stored DACL. A crafted parent DACL could drive smb_inherit_dacl into an out-of-bounds ACE walk, with potential 32-bit allocation-size overflow on the inherited buffer construction.

  [lore announcement]
• CVE-2026-31709 8.8 HIGH

  smb: client: validate the whole DACL before rewriting it in cifsacl

  Linux kernel - Linux SMB client (fs/smb/client) [NVD-CWE-noinfo]

  The Linux SMB client's cifsacl chmod/chown paths trusted server-supplied dacloffset and num_aces fields when rebuilding ACLs locally. A malicious server could provide a DACL whose advertised structure exceeded the actual buffer, causing replace_sids_and_copy_aces() and set_chmod_dacl() to walk past the validated end of the security descriptor.

  Client-side counterpart of CVE-2025-21994. Sent 2026-04-16 v1, 2026-04-20 v2; in-thread follow-up KCIFS2_END_OF_DACL_DEBUG2 sent 2026-04-21.

  [lore announcement] [Predecessor CVE-2025-21994]
• CVE-2026-31707 7.1 HIGH

  ksmbd: validate response sizes in ipc_validate_msg()

  Linux kernel - ksmbd (fs/smb/server) [CWE-787]

  ksmbd's ipc_validate_msg() computed the expected message size for each response type by summing or multiplying attacker-controlled fields from the userspace daemon's response into unsigned int arithmetic. Three response cases could overflow the size computation, leading to under-allocated buffers consumed by downstream parsing.

  Patch 1 of a 3-patch series; this is the cap on response sizes. Patches 2 and 3 (ksmbd_alloc_user negative ngroups, smb_check_perm_dacl ACE size) were merged separately and have not been individually CVE'd.

  [lore announcement]
• CVE-2026-31711 7.5 HIGH

  smb: server: fix active_num_conn leak on transport allocation failure

  Linux kernel - ksmbd (fs/smb/server) [CWE-401]

  ksmbd's transport allocation path leaked the active_num_conn counter when alloc_transport() returned NULL after a successful kernel_accept(). An unauthenticated remote attacker could drive cumulative allocation failures (e.g. via memory pressure) until atomic_inc_return() saturated max_connections, denying service to legitimate SMB clients.

  Pre-auth slow remote DoS. Companion to other ksmbd hardening sent in the same week.

  [lore announcement]
• CVE-2026-31611 8.6 HIGH sister-fix

  ksmbd: require 3 sub-authorities before reading sub_auth[2]

  Linux kernel - ksmbd (fs/smb/server) [NVD-CWE-noinfo]

  The Linux kernel ksmbd parse_dacl() compared each ACE SID against sid_unix_NFS_mode using only min(num_subauth, 2) sub-authorities. A client SID with num_subauth = 2 could match the NFS-mode SID prefix; reading sub_auth[2] then crossed the end-of-ACL boundary by 4 bytes, applying out-of-band bytes as the file's POSIX mode.

  Server-side sister of my client-side patch (sent 2026-04-20 to linux-cifs@). Same bug class in fs/smb/client/cifsacl.c was disclosed first; the server-side variant in fs/smb/server/smbacl.c was patched independently by the ksmbd maintainers in response, and that's the path the CVE was assigned for.

  [lore announcement]

2002

• CVE-2002-1809 7.5 HIGH

  MySQL Windows binary release default NULL root password

  MySQL AB - MySQL Windows binary 3.23.2-3.23.52

  The default configuration of the Windows binary release of MySQL 3.23.2 through 3.23.52 has a NULL root password, which could allow remote attackers to gain unauthorized root access to the MySQL database.

  PoC published as mysqlfuck.c on Bugtraq.

  [Bugtraq archive (Neohapsis, Wayback)] [SecurityFocus BID 5503 (Wayback)] [ISS X-Force 9902 (Wayback)]
• CVE-2002-1923 7.5 HIGH

  MySQL Windows default config has logging disabled

  MySQL AB - MySQL Windows 3.20.32-3.23.52

  The default configuration in MySQL 3.20.32 through 3.23.52, when running on Windows, does not have logging enabled, which could allow remote attackers to conduct activities without detection.

  Reported in same series as CVE-2002-1809 and CVE-2002-1921.

  [Bugtraq thread 288105 (Wayback)] [SecurityFocus BID 5513 (Wayback)] [ISS X-Force 9909 (Wayback)]
• CVE-2002-1921 7.5 HIGH

  MySQL Windows default bind address allows remote connections

  MySQL AB - MySQL Windows 3.20.32-3.23.52

  The default configuration of MySQL 3.20.32 through 3.23.52, when running on Windows, does set the bind address to the loopback interface, which allows remote attackers to connect to the database.

  Reported in same series as CVE-2002-1809.

  [Bugtraq thread 288105 (Wayback)] [SecurityFocus BID 5511 (Wayback)] [ISS X-Force 9908 (Wayback)]