Skip to main content

Linux Kernel EUVDEUVD-2026-27634

| CVE-2026-43112 HIGH
Out-of-bounds Read (CWE-125)
2026-05-06 Linux GHSA-24h4-22f3-65qc
8.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:27 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
8.8 (HIGH)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath

When cifs_sanitize_prepath is called with an empty string or a string containing only delimiters (e.g., "/"), the current logic attempts to check *(cursor2 - 1) before cursor2 has advanced. This results in an out-of-bounds read.

This patch adds an early exit check after stripping prepended delimiters. If no path content remains, the function returns NULL.

The bug was identified via manual audit and verified using a standalone test case compiled with AddressSanitizer, which triggered a SEGV on affected inputs.

AnalysisAI

Out-of-bounds read in Linux kernel CIFS client allows network attackers to achieve high-severity impacts including potential code execution, information disclosure, or denial of service when users access maliciously crafted SMB shares. The vulnerability resides in cifs_sanitize_prepath() which improperly handles empty strings or delimiter-only paths, triggering memory access violations confirmed via AddressSanitizer testing. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low predicted exploitation probability despite high CVSS 8.8, and no active exploitation or public POC identified at time of analysis.

Technical ContextAI

This vulnerability affects the CIFS (Common Internet File System) client implementation in the Linux kernel's SMB subsystem (fs/smb/client). The cifs_sanitize_prepath() function performs path sanitization for SMB/CIFS mount operations but contains unsafe pointer arithmetic. When processing empty strings or paths containing only delimiter characters (e.g., '/'), the function attempts to dereference (cursor2 - 1) before cursor2 has been advanced beyond the initial position, resulting in an out-of-bounds memory read. This is a classic buffer underflow scenario where boundary checks occur after pointer manipulation. The vulnerability was discovered through manual code audit and reproduced using AddressSanitizer, a memory error detection tool that confirmed SEGV (segmentation violation) on malformed inputs. The affected code path is triggered during SMB share mounting operations when the kernel parses user-supplied path strings. CPE strings indicate broad impact across Linux kernel versions dating back to the initial git commit (1da177e4c3f4), suggesting long-standing code inherited from early CIFS implementation.

RemediationAI

Upgrade to patched kernel versions: 6.6.136+ for 6.6 LTS branch, 6.12.83+ for 6.12 stable, 6.18.24+ for 6.18 stable, 6.19.14+ for 6.19 stable, or 7.0+ for mainline. Specific fix commits available at kernel.org stable tree (78ec5bf2f589, 5d4fe469fe7d, 49b1ce6d7cfb, 2d29214448ec, 86f9c23e0814). Distribution-specific updates should be applied through native package managers (apt, yum, zypper) which will incorporate these upstream fixes into vendor kernels. Compensating controls for environments unable to immediately patch: restrict CIFS/SMB mount operations to trusted network segments only via firewall rules blocking SMB ports (445/TCP, 139/TCP) from untrusted networks; implement mount restrictions using kernel module parameters or AppArmor/SELinux policies to prevent unprivileged users from mounting external CIFS shares; disable CIFS kernel module entirely (modprobe blacklist) if SMB client functionality is not required-note this prevents Windows file share access and may break workflows dependent on SMB. Consider mandating VPN for all external SMB access to controlled infrastructure. Advisory reference: https://nvd.nist.gov/vuln/detail/CVE-2026-43112 and linked kernel.org commits.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27634 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy