CVE-2026-43185 - Vulnerability Details

- ksmbd: fix signededness bug in smb_direct_prepare_negotiation()

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix signededness bug in smb_direct_prepare_negotiation()

smb_direct_prepare_negotiation() casts an unsigned __u32 value
from sp->max_recv_size and req->preferred_send_size to a signed
int before computing min_t(int, ...). A maliciously provided
preferred_send_size of 0x80000000 will return as smaller than
max_recv_size, and then be used to set the maximum allowed
alowed receive size for the next message.

By sending a second message with a large value (>1420 bytes)
the attacker can then achieve a heap buffer overflow.

This fix replaces min_t(int, ...) with min_t(u32)

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The ksmbd SMB server in the Linux kernel contains a signedness bug in smb_direct_prepare_negotiation(): an unsigned __u32 value derived from preferred_send_size is cast to a signed int before a min_t calculation. When an attacker supplies a malicious preferred_send_size of 0x80000000, the signed conversion treats it as a negative number, causing the function to select a lower maximum receive size. A subsequent SMB message that exceeds the enforced limit (more than 1420 bytes) will overflow a heap buffer. The resulting overwrite can compromise kernel memory and potentially allow arbitrary code execution or a system crash.

Affected Systems

All Linux kernel releases that include the ksmbd SMB server component before the commit that implements the signedness bug fix. The exact vulnerable versions are not listed in this CVE record; users should compare their running kernel version against upstream patch commits, such as commit 55abc475d096da4a5356b6efb0cfdc6156bc1550, to determine vulnerability status.

Risk and Exploitability

Exploitation requires an attacker to reach the SMB service over the network, send a crafted negotiation request, and then transmit a large SMB message. The likely attack vector is remotely via the SMB port, and the absence of an EPSS score or KEV listing does not reduce the high severity risk posed by the heap buffer overflow. If the exploit succeeds, it could grant kernel-level code execution or cause a system crash.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< ceae058eb707ddd0d68f0872f9d9f23b7c30c37b
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 55abc475d096da4a5356b6efb0cfdc6156bc1550
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 6b4f875aac344cdd52a1f34cc70ed2f874a65757

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0626e6641f6b467447c81dd7678a69c66f7746cf,ceae058eb707ddd0d68f0872f9d9f23b7c30c37b)`	affected	code_commit	—
`[0626e6641f6b467447c81dd7678a69c66f7746cf,55abc475d096da4a5356b6efb0cfdc6156bc1550)`	affected	code_commit	—
`[0626e6641f6b467447c81dd7678a69c66f7746cf,6b4f875aac344cdd52a1f34cc70ed2f874a65757)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.15`	affected	generic	—
`[0,5.15)`	unaffected	generic	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the ksmbd signedness bug fix (refer to commit 55abc475d096da4a5356b6efb0cfdc6156bc1550 or later), ensuring the kernel version is upgraded to a patched state.
If an immediate kernel upgrade is not feasible, disable or unload the ksmbd module to prevent SMB requests from reaching the vulnerable code.
Configure the host firewall or network controls to block SMB traffic on the standard ports until the patch is installed, thereby reducing the opportunity for an attacker to send the malicious request.

Generated by OpenCVE AI on May 6, 2026 at 16:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/55abc475d096da4a5356b6efb0cfdc6156bc1550
https://git.kernel.org/stable/c/6b4f875aac344cdd52a1f34cc70ed2f874a65757
https://git.kernel.org/stable/c/ceae058eb707ddd0d68f0872f9d9f23b7c30c37b

History

Wed, 06 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-190 CWE-680

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix signededness bug in smb_direct_prepare_negotiation() smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message. By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow. This fix replaces min_t(int, ...) with min_t(u32)
Title		ksmbd: fix signededness bug in smb_direct_prepare_negotiation()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/55abc475d096da4a5356b6efb0cfdc6156bc1550 https://git.kernel.org/stable/c/6b4f875aac344cdd52a1f34cc70ed2f874a65757 https://git.kernel.org/stable/c/ceae058eb707ddd0d68f0872f9d9f23b7c30c37b

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:56.386Z

Updated: 2026-05-06T11:27:56.386Z

Reserved: 2026-05-01T14:12:55.991Z

Link: CVE-2026-43185

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:37.187

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43185

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T17:00:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object