Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: validate inherited ACE SID length

smb_inherit_dacl() walks the parent directory DACL loaded from the
security descriptor xattr. It verifies that each ACE contains the fixed
SID header before using it, but does not verify that the variable-length
SID described by sid.num_subauth is fully contained in the ACE.

A malformed inheritable ACE can advertise more subauthorities than are
present in the ACE. compare_sids() may then read past the ACE.
smb_set_ace() also clamps the copied destination SID, but used the
unchecked source SID count to compute the inherited ACE size. That could
advance the temporary inherited ACE buffer pointer and nt_size accounting
past the allocated buffer.

Fix this by validating the parent ACE SID count and SID length before
using the SID during inheritance. Compute the inherited ACE size from the
copied SID so the size matches the bounded destination SID. Reject the
inherited DACL if size accumulation would overflow smb_acl.size or the
security descriptor allocation size.
Published: 2026-05-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the Linux kernel’s SMB server (ksmbd). When inheriting access-control lists, the code loads a parent directory’s DACL from a security-descriptor attribute and verifies only the fixed SID header of each ACE. It does not validate that the variable-length SID, as indicated by sid.num_subauth, is fully contained within the ACE. Consequently, a malformed inheritable ACE that advertises more sub-authorities than actually exist can cause the comparison routine to read beyond the ACE’s boundary, leading to an out-of-bounds read of kernel memory. This read can expose privileged data or potentially be leveraged for kernel-mode privilege escalation.

Affected Systems

All Linux kernel releases that ship the ksmbd module and have not incorporated the patch commit that adds SID-length validation are affected. The issue is independent of distribution and applies to any system exposing the built-in SMB server, regardless of vendor or version, until the kernel update is applied.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, indicating high severity, and an EPSS score of less than 1%, showing a very low current likelihood of exploitation. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker who can send a specially crafted SMB packet could trigger the out-of-bounds read. The impact could include information disclosure or, in the worst case, privilege escalation to kernel mode. Until the patch is deployed, the risk remains significant for environments that expose SMB services.

Generated by OpenCVE AI on May 20, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel update that includes the ksmbd SID validation patch
  • Restrict SMB traffic with firewall rules to allow only trusted hosts while the patch is pending
  • If immediate kernel upgrade is not possible, unload or disable the ksmbd module to remove the vulnerable code from the running kernel
  • Monitor system logs for anomalous SMB activity

Generated by OpenCVE AI on May 20, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6274-1 linux security update
History

Sat, 23 May 2026 11:45:00 +0000

Type Values Removed Values Added
References

Wed, 20 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-190
CWE-20

Wed, 20 May 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References

Fri, 15 May 2026 06:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-190
CWE-20

Fri, 15 May 2026 05:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate inherited ACE SID length smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE. A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer. Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.
Title ksmbd: validate inherited ACE SID length
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T11:25:58.184Z

Reserved: 2026-05-01T14:12:56.012Z

Link: CVE-2026-43490

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-15T06:16:20.363

Modified: 2026-05-23T12:17:02.340

Link: CVE-2026-43490

cve-icon Redhat

Severity :

Publid Date: 2026-05-15T00:00:00Z

Links: CVE-2026-43490 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T20:15:26Z

Weaknesses
  • CWE-805

    Buffer Access with Incorrect Length Value