Description
In the Linux kernel, the following vulnerability has been resolved:

fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath

When cifs_sanitize_prepath is called with an empty string or a string
containing only delimiters (e.g., "/"), the current logic attempts to
check *(cursor2 - 1) before cursor2 has advanced. This results in an
out-of-bounds read.

This patch adds an early exit check after stripping prepended
delimiters. If no path content remains, the function returns NULL.

The bug was identified via manual audit and verified using a
standalone test case compiled with AddressSanitizer, which
triggered a SEGV on affected inputs.
Published: 2026-05-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel's SMB client contains a flaw in the function cifs_sanitize_prepath that allows an out‑of‑bounds read when the function receives an empty string or a string composed solely of delimiters. The code attempts to dereference a pointer before it has advanced, which can trigger a kernel segmentation fault. A crash of this nature results in a kernel panic and loss of service for components relying on the SMB client, effectively denying availability to affected users.

Affected Systems

All Linux kernel builds that implement the SMB client module and include an unpatched implementation of cifs_sanitize_prepath are affected. The patch that resolves the issue is identified in the commit referenced by the kernel repository links; any kernel older than that commit is vulnerable, with no specific version number provided.

Risk and Exploitability

The CVSS score for this vulnerability is 8.8 and the EPSS score is less than 1%, indicating a low probability of exploitation. It is not listed in the CISA KEV catalog. The attacker would need to supply a path string that triggers the out‑of‑bounds read, which can be achieved by interacting with SMB client operations, either locally or remotely. Because the flaw results only in a crash rather than arbitrary code execution, the impact is limited to a denial of service, though it could be leveraged in a broader attack by causing instability in critical services.

Generated by OpenCVE AI on May 8, 2026 at 20:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the cifs_sanitize_prepath patch
  • Restart any SMB client services or remount shares so that the kernel module reloads with the fix
  • If an immediate kernel upgrade is not possible, disable the SMB client module or avoid using SMB shares to eliminate the attack surface

Generated by OpenCVE AI on May 8, 2026 at 20:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:5.16:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.16:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.16:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.16:rc8:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Fri, 08 May 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-786
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath When cifs_sanitize_prepath is called with an empty string or a string containing only delimiters (e.g., "/"), the current logic attempts to check *(cursor2 - 1) before cursor2 has advanced. This results in an out-of-bounds read. This patch adds an early exit check after stripping prepended delimiters. If no path content remains, the function returns NULL. The bug was identified via manual audit and verified using a standalone test case compiled with AddressSanitizer, which triggered a SEGV on affected inputs.
Title fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:06:17.257Z

Reserved: 2026-05-01T14:12:55.986Z

Link: CVE-2026-43112

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T10:16:24.927

Modified: 2026-05-08T19:43:23.620

Link: CVE-2026-43112

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43112 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T20:15:15Z

Weaknesses