Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: validate inherited ACE SID length

smb_inherit_dacl() walks the parent directory DACL loaded from the
security descriptor xattr. It verifies that each ACE contains the fixed
SID header before using it, but does not verify that the variable-length
SID described by sid.num_subauth is fully contained in the ACE.

A malformed inheritable ACE can advertise more subauthorities than are
present in the ACE. compare_sids() may then read past the ACE.
smb_set_ace() also clamps the copied destination SID, but used the
unchecked source SID count to compute the inherited ACE size. That could
advance the temporary inherited ACE buffer pointer and nt_size accounting
past the allocated buffer.

Fix this by validating the parent ACE SID count and SID length before
using the SID during inheritance. Compute the inherited ACE size from the
copied SID so the size matches the bounded destination SID. Reject the
inherited DACL if size accumulation would overflow smb_acl.size or the
security descriptor allocation size.
Published: 2026-05-15
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel’s SMB server (ksmbd) where a variable‑length Security Identifier (SID) within an inherited Access Control Entry (ACE) is not fully validated. This omission can cause the comparison routine to read past the end of the ACE, leading to an out‑of‑bounds read that may expose privileged kernel memory or be leveraged for higher‑level exploitation. The flaw stems from unchecked use of sid.num_subauth to calculate the ACE size, allowing an attacker to craft a malformed inheritable ACE that advertises more subauthorities than actually exist.

Affected Systems

All Linux kernel releases that contain the ksmbd module and have not yet applied the patch commit resolving the SID length validation bug are affected. The issue applies universally to any system running the built‑in SMB server, regardless of distribution or version, until a kernel update incorporates the fix.

Risk and Exploitability

No EPSS score is available and the vulnerability is not listed in CISA KEV, indicating that no public exploits have been documented at the time of analysis. Nevertheless, because the fault occurs in kernel code exercised by SMB traffic, an attacker who can influence a client’s ACL inheritance (e.g., via a specially crafted SMB packet) could trigger the out‑of‑bounds read. The potential impact includes information disclosure or escalation of privileges to kernel mode. Until a patched kernel is deployed, the risk remains significant for environments exposing SMB services.

Generated by OpenCVE AI on May 15, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the ksmbd patch commit for SID length validation
  • If immediate kernel upgrade is not possible, configure firewall rules to block or limit SMB traffic to trusted hosts
  • Disable the ksmbd module using modprobe or kernel boot parameter until the patch is applied

Generated by OpenCVE AI on May 15, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6274-1 linux security update
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References

Fri, 15 May 2026 06:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-190
CWE-20

Fri, 15 May 2026 05:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate inherited ACE SID length smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE. A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer. Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.
Title ksmbd: validate inherited ACE SID length
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-15T05:15:37.666Z

Reserved: 2026-05-01T14:12:56.012Z

Link: CVE-2026-43490

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-15T06:16:20.363

Modified: 2026-05-15T06:16:20.363

Link: CVE-2026-43490

cve-icon Redhat

Severity :

Publid Date: 2026-05-15T00:00:00Z

Links: CVE-2026-43490 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T13:30:45Z

Weaknesses