Out-of-bounds read in Linux kernel SMB client symlink error response parsing
CVE-2026-31613 is an out-of-bounds read in the Linux kernel SMB client when parsing SMB 3.1.1 symlink error responses from an untrusted server. The vulnerable path is reached when an SMB CREATE request returns STATUS_STOPPED_ON_SYMLINK. In this path, smb2_check_message() returns success without performing length validation, leaving subsequent symlink parsing code to process attacker-controlled response data. In symlink_data(), SMB 3.1.1 error contexts are iterated with the loop condition "p < end", but the parser reads fields from the current context header before ensuring the full header fits in bounds. A server-controlled ErrorDataLength can advance the parser pointer to within 1-7 bytes of the end of the buffer, causing the next iteration to read past the end. Additionally, when a matching context is found, SymLinkErrorTag is read from ErrorContextData without verifying that the symlink header itself is fully present. A second bounds flaw exists in smb2_parse_symlink_response(), which validates the substitute name using SMB2_SYMLINK_STRUCT_SIZE as a fixed PathBuffer offset from iov_base. That offset is only correct when ErrorContextCount is 0; with one or more error contexts present, the actual symlink data is deeper in the buffer and may be shifted further by skipped contexts. As a result, substitute-name reads can run past iov_len and consume out-of-bounds heap bytes.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Linux kernel out-of-bounds read vulnerability in the SMB client while parsing symlink error responses.
Referenced as one of many vulnerabilities solved by SUSE security updates; no technical details provided in the content.
A Linux kernel SMB client out-of-bounds read vulnerability when parsing symlink error responses.
An out-of-bounds read vulnerability in the Linux kernel SMB client when parsing SMB symlink error responses from an untrusted server. Improper length and bounds validation can allow out-of-bounds heap bytes to be UTF-16-decoded into the symlink target and returned to userspace via readlink(2).
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.