Skip to main content

Linux Kernel CVE-2026-43490

| EUVDEUVD-2026-30503 HIGH
Out-of-bounds Write (CWE-787)
2026-05-15 Linux GHSA-9hm7-v4rj-6wqj
8.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 19:30 vuln.today
CVSS changed
May 20, 2026 - 17:22 NVD
8.8 (HIGH)
Patch available
May 15, 2026 - 07:01 EUVD
CVE Published
May 15, 2026 - 05:15 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: validate inherited ACE SID length

smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.

A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.

Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.

AnalysisAI

Out-of-bounds read and buffer overflow in the Linux kernel's ksmbd SMB server allows authenticated remote attackers to corrupt memory or read past allocated buffers by sending a malformed inheritable ACE with an inflated num_subauth value. The flaw resides in smb_inherit_dacl() and smb_set_ace(), where the variable-length SID is not bounds-checked during DACL inheritance, enabling heap corruption with potential for remote code execution against any SMB server using ksmbd. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the vendor patch is available across multiple stable branches.

Technical ContextAI

ksmbd is the in-kernel SMB3 file server introduced in Linux 5.15 as an alternative to user-space Samba, handling SMB authentication, file sharing, and Windows-style ACL semantics directly in kernel space. The bug is a classic buffer overread/overflow during NT security descriptor (DACL) inheritance: each Access Control Entry (ACE) embeds a SID structure whose total length depends on num_subauth, and smb_inherit_dacl() validates the fixed SID header but trusts the attacker-controlled subauthority count when computing offsets into the parent ACE buffer via compare_sids() and when sizing the inherited ACE in smb_set_ace(). The CPE strings cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* confirm the upstream Linux kernel tree is affected, and the 'Buffer Overflow' tag along with the description aligns with CWE-125 (Out-of-bounds Read) and CWE-787 (Out-of-bounds Write) class weaknesses, even though no CWE is explicitly assigned.

RemediationAI

Vendor-released patch: upgrade to Linux 6.12.88, 6.18.30, 7.0.7, 7.1-rc3, or any later stable kernel containing the four upstream commits referenced at https://git.kernel.org/stable/c/47c6e37a77b10e74f70d845ba4ea5d3cafa00336, https://git.kernel.org/stable/c/1aa60fea7f637c071f529ad6784aecca2f2f0c5f, https://git.kernel.org/stable/c/c1d95c995d5bcb24b639200a899eda59cb1e6d64, and https://git.kernel.org/stable/c/996454bc0da84d5a1dedb1a7861823087e01a7ae. If immediate kernel patching is not feasible, unload the ksmbd kernel module (modprobe -r ksmbd) and switch to user-space Samba where SMB serving is still required - this fully eliminates exposure but requires reconfiguration of shares and authentication. As a narrower mitigation, restrict ksmbd to trusted authenticated users only by tightening share ACLs and removing write/xattr permissions for low-trust accounts, and block inbound TCP/445 from untrusted networks at the firewall; the trade-off is loss of legitimate write capability for restricted users until the kernel is updated.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed

Share

CVE-2026-43490 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy