Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix signededness bug in smb_direct_prepare_negotiation()

smb_direct_prepare_negotiation() casts an unsigned __u32 value
from sp->max_recv_size and req->preferred_send_size to a signed
int before computing min_t(int, ...). A maliciously provided
preferred_send_size of 0x80000000 will return as smaller than
max_recv_size, and then be used to set the maximum allowed
alowed receive size for the next message.

By sending a second message with a large value (>1420 bytes)
the attacker can then achieve a heap buffer overflow.

This fix replaces min_t(int, ...) with min_t(u32)
Published: 2026-05-06
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ksmbd SMB server in the Linux kernel contains a signedness bug in smb_direct_prepare_negotiation(): an unsigned __u32 value derived from preferred_send_size is cast to a signed int before a min_t calculation. When an attacker supplies a malicious preferred_send_size of 0x80000000, the signed conversion treats it as a negative number, causing the function to select a lower maximum receive size. A subsequent SMB message that exceeds the enforced limit (more than 1420 bytes) will overflow a heap buffer. The resulting overwrite can compromise kernel memory and potentially allow arbitrary code execution or a system crash.

Affected Systems

All Linux kernel releases that include the ksmbd SMB server component before the commit that implements the signedness bug fix. The exact vulnerable versions are not listed in this CVE record; users should compare their running kernel version against upstream patch commits, such as commit 55abc475d096da4a5356b6efb0cfdc6156bc1550, to determine vulnerability status.

Risk and Exploitability

Exploitation requires an attacker to reach the SMB service over the network, send a crafted negotiation request, and then transmit a large SMB message. The likely attack vector is remotely via the SMB port, and the CVSS score of 9.8 indicates a critical severity, while the EPSS score of <1% suggests a low current exploitation probability; however, the vulnerability remains unlisted in KEV. If the exploit succeeds, it could grant kernel-level code execution or cause a system crash.

Generated by OpenCVE AI on May 11, 2026 at 23:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the ksmbd signedness bug fix (refer to commit 55abc475d096da4a5356b6efb0cfdc6156bc1550 or later), ensuring the kernel version is upgraded to a patched state.
  • If an immediate kernel upgrade is not feasible, disable or unload the ksmbd module to prevent SMB requests from reaching the vulnerable code.
  • Configure the host firewall or network controls to block SMB traffic on the standard ports until the patch is installed, thereby reducing the opportunity for an attacker to send the malicious request.

Generated by OpenCVE AI on May 11, 2026 at 23:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-674
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 07 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-190
CWE-680

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-681
References

Wed, 06 May 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-190
CWE-680

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix signededness bug in smb_direct_prepare_negotiation() smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message. By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow. This fix replaces min_t(int, ...) with min_t(u32)
Title ksmbd: fix signededness bug in smb_direct_prepare_negotiation()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:19:29.532Z

Reserved: 2026-05-01T14:12:55.991Z

Link: CVE-2026-43185

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:37.187

Modified: 2026-05-11T20:52:58.280

Link: CVE-2026-43185

cve-icon Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43185 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:15:09Z

Weaknesses