Description
In the Linux kernel, the following vulnerability has been resolved:

smb: client: require a full NFS mode SID before reading mode bits

parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS
mode SID and reads sid.sub_auth[2] to recover the mode bits.

That assumes the ACE carries three subauthorities, but compare_sids()
only compares min(a, b) subauthorities. A malicious server can return
an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still
matches sid_unix_NFS_mode and then drives the sub_auth[2] read four
bytes past the end of the ACE.

Require num_subauth >= 3 before treating the ACE as an NFS mode SID.
This keeps the fix local to the special-SID mode path without changing
compare_sids() semantics for the rest of cifsacl.
Published: 2026-05-08
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s SMB client contains a function parse_dacl() that processes Access Control Entries (ACEs). When the SID of an ACE matches the special NFS mode SID, parse_dacl() assumes there are at least three sub‑authorities and reads sid.sub_auth[2] to obtain NFS mode bits. An attacker controlling an SMB server can send an ACE with only two sub‑authorities. The compare_sids() routine compares only the minimum number of sub‑authorities, so the ACE still matches the NFS mode SID. As a result, parse_dacl() reads past the end of the ACE structure, performing an out‑of‑bounds read that may expose kernel memory content to the SMB client, leading to information disclosure.

Affected Systems

The issue affects all Linux kernels where the SMB client code is compiled and used. The fix is introduced in commit 2757ad3e4b6f9e0fed4c7739594e702abc5cab21, so any kernel revisions prior to this commit are vulnerable. Administrators should verify that their systems run a kernel version that includes this commit or later, such as the latest patched releases from the distribution’s kernel package.

Risk and Exploitability

The vulnerability is not listed in CISA KEV, and its EPSS score is <1%, indicating a low probability of exploitation. The CVSS score of 7.6 indicates a high severity issue. The flaw requires an attacker to supply malicious SMB traffic to a vulnerable client; therefore it is remotely exploitable through the network. While the initial impact may be limited to an out‑of‑bounds read, the information leakage could be leveraged to facilitate further attacks. The lack of publicly available exploitation data suggests a moderate risk, but the severity of this memory‑reading flaw warrants immediate patching.

Generated by OpenCVE AI on May 15, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes commit 2757ad3e4b6f9e0fed4c7739594e702abc5cab21 or later, which resolves the out‑of‑bounds read by checking the number of sub‑authorities before treating an ACE as an NFS mode SID.
  • If the kernel cannot be updated immediately, disable or unload the SMB client modules that are not required for your environment.
  • Restrict SMB client connections to trusted internal networks and block unsolicited SMB traffic from untrusted sources using firewall rules or host‑based access control.

Generated by OpenCVE AI on May 15, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-125

Fri, 15 May 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Mon, 11 May 2026 09:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-125

Mon, 11 May 2026 07:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H'}

Sat, 09 May 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-129

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-129

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb: client: require a full NFS mode SID before reading mode bits parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS mode SID and reads sid.sub_auth[2] to recover the mode bits. That assumes the ACE carries three subauthorities, but compare_sids() only compares min(a, b) subauthorities. A malicious server can return an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still matches sid_unix_NFS_mode and then drives the sub_auth[2] read four bytes past the end of the ACE. Require num_subauth >= 3 before treating the ACE as an NFS mode SID. This keeps the fix local to the special-SID mode path without changing compare_sids() semantics for the rest of cifsacl.
Title smb: client: require a full NFS mode SID before reading mode bits
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:22:52.597Z

Reserved: 2026-05-01T14:12:56.003Z

Link: CVE-2026-43350

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T14:16:45.123

Modified: 2026-05-15T19:29:35.360

Link: CVE-2026-43350

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43350 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T22:30:06Z

Weaknesses