Description
In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix in-place encryption corruption in SMB2_write()

SMB2_write() places write payload in iov[1..n] as part of rq_iov.
smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message()
encrypts iov[1] in-place, replacing the original plaintext with
ciphertext. On a replayable error, the retry sends the same iov[1]
which now contains ciphertext instead of the original data,
resulting in corruption.

The corruption is most likely to be observed when connections are
unstable, as reconnects trigger write retries that re-send the
already-encrypted data.

This affects SFU mknod, MF symlinks, etc. On kernels before
6.10 (prior to the netfs conversion), sync writes also used
this path and were similarly affected. The async write path
wasn't unaffected as it uses rq_iter which gets deep-copied.

Fix by moving the write payload into rq_iter via iov_iter_kvec(),
so smb3_init_transform_rq() deep-copies it before encryption.
Published: 2026-05-08
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability, identified as CWE-649, lies in the Linux SMB client’s write handling: during an SMB2_write operation, the payload buffer is encrypted in place, and if a retry occurs because of a replayable error, the same corrupted buffer is sent again. This causes the written data to be overwritten with ciphertext, leading to permanent data corruption on the remote file system. The effect is a loss of data integrity, potentially resulting in corrupted files or system state. The issue appears most often when connections are unstable and retries are triggered, so an attacker who can influence SMB traffic or control a flaky network could induce data corruption.

Affected Systems

Affected products are Linux kernel implementations that use the SMB client code before the 6.10 release, including kernels prior to the netfs conversion. Versions before 6.10 are vulnerable. The kernel code paths used for sync writes and certain filesystem features such as SFU mknod and MF symlinks are impacted.

Risk and Exploitability

The CVSS score of 7.0 indicates moderate severity, and no EPSS score is available. The vulnerability is not listed in CISA KEV, which suggests that it has not yet been widely exploited in the wild. However, because SMB traffic is generally user‑controllable and network instability can be manipulated, the risk remains significant for environments that rely on SMB shares. The attack vector is likely a combination of vulnerable SMB client code and unstable network conditions that trigger write retries, making the flaw exploitable under normal operation or by an attacker who can force extended retry cycles.

Generated by OpenCVE AI on May 9, 2026 at 04:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update to version 6.10 or newer, which implements the patch that deep‑copies the write payload before encryption.
  • If upgrading the kernel is delayed, monitor network stability and avoid patterns that cause frequent SMB write retries, as extended retries increase the chance of corruption.
  • Ensure that any distribution‑specific update mechanism is kept current so that the kernel receives future security patches promptly.

Generated by OpenCVE AI on May 9, 2026 at 04:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-682

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-649
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-682

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb: client: fix in-place encryption corruption in SMB2_write() SMB2_write() places write payload in iov[1..n] as part of rq_iov. smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message() encrypts iov[1] in-place, replacing the original plaintext with ciphertext. On a replayable error, the retry sends the same iov[1] which now contains ciphertext instead of the original data, resulting in corruption. The corruption is most likely to be observed when connections are unstable, as reconnects trigger write retries that re-send the already-encrypted data. This affects SFU mknod, MF symlinks, etc. On kernels before 6.10 (prior to the netfs conversion), sync writes also used this path and were similarly affected. The async write path wasn't unaffected as it uses rq_iter which gets deep-copied. Fix by moving the write payload into rq_iter via iov_iter_kvec(), so smb3_init_transform_rq() deep-copies it before encryption.
Title smb: client: fix in-place encryption corruption in SMB2_write()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-09T04:10:40.255Z

Reserved: 2026-05-01T14:12:56.005Z

Link: CVE-2026-43362

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:47.133

Modified: 2026-05-08T15:16:47.133

Link: CVE-2026-43362

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43362 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T05:00:10Z

Weaknesses