Description
In the Linux kernel, the following vulnerability has been resolved:

smb: client: require a full NFS mode SID before reading mode bits

parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS
mode SID and reads sid.sub_auth[2] to recover the mode bits.

That assumes the ACE carries three subauthorities, but compare_sids()
only compares min(a, b) subauthorities. A malicious server can return
an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still
matches sid_unix_NFS_mode and then drives the sub_auth[2] read four
bytes past the end of the ACE.

Require num_subauth >= 3 before treating the ACE as an NFS mode SID.
This keeps the fix local to the special-SID mode path without changing
compare_sids() semantics for the rest of cifsacl.
Published: 2026-05-08
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s SMB client contains a function parse_dacl() that processes Access Control Entries (ACEs). When the SID of an ACE matches the special NFS mode SID, parse_dacl() assumes there are at least three sub‑authorities and reads sid.sub_auth[2] to obtain NFS mode bits. An attacker controlling an SMB server can send an ACE with only two sub‑authorities. The compare_sids() routine compares only the minimum number of sub‑authorities, so the ACE still matches the NFS mode SID. As a result, parse_dacl() reads past the end of the ACE structure, performing an out‑of‑bounds read. This bug can expose kernel memory content to the SMB client and potentially crash the client or be leveraged to read arbitrary memory, leading to information disclosure or denial of service.

Affected Systems

The issue affects all Linux kernels where the SMB client code is compiled and used. The fix is introduced in commit 2757ad3e4b6f9e0fed4c7739594e702abc5cab21, so any kernel revisions prior to this commit are vulnerable. Administrators should verify that their systems run a kernel version that includes this commit or later, such as the latest patched releases from the distribution’s kernel package.

Risk and Exploitability

The vulnerability is not listed in CISA KEV and no EPSS score is available, indicating that publicly known exploits are not yet documented. The CVSS score of 7.0 indicates a high severity issue. The flaw requires an attacker to supply malicious SMB traffic to a vulnerable client; therefore it is remotely exploitable through the network. While the initial impact may be limited to an out‑of‑bounds read, an attacker could potentially use the information leakage to facilitate further attacks. The lack of publicly available exploitation data suggests a moderate risk, but the severity of a memory corruption bug warrants immediate patching.

Generated by OpenCVE AI on May 9, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes commit 2757ad3e4b6f9e0fed4c7739594e702abc5cab21 or later, which resolves the out‑of‑bounds read by checking the number of sub‑authorities before treating an ACE as an NFS mode SID.
  • If the kernel cannot be updated immediately, disable or unload the SMB client modules that are not required for your environment.
  • Restrict SMB client connections to trusted internal networks and block unsolicited SMB traffic from untrusted sources using firewall rules or host‑based access control.

Generated by OpenCVE AI on May 9, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-129

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-129

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb: client: require a full NFS mode SID before reading mode bits parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS mode SID and reads sid.sub_auth[2] to recover the mode bits. That assumes the ACE carries three subauthorities, but compare_sids() only compares min(a, b) subauthorities. A malicious server can return an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still matches sid_unix_NFS_mode and then drives the sub_auth[2] read four bytes past the end of the ACE. Require num_subauth >= 3 before treating the ACE as an NFS mode SID. This keeps the fix local to the special-SID mode path without changing compare_sids() semantics for the rest of cifsacl.
Title smb: client: require a full NFS mode SID before reading mode bits
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T13:41:53.276Z

Reserved: 2026-05-01T14:12:56.003Z

Link: CVE-2026-43350

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T14:16:45.123

Modified: 2026-05-08T14:16:45.123

Link: CVE-2026-43350

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43350 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T03:30:24Z

Weaknesses

No weakness.