Skip to main content

Linux Kernel SMB client EUVDEUVD-2026-28634

| CVE-2026-43350 HIGH
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-xvvm-359f-6vgc
7.6
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:27 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.6 (HIGH)
Patch available
May 08, 2026 - 15:17 EUVD
CVE Published
May 08, 2026 - 14:16 nvd
HIGH 7.6
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

smb: client: require a full NFS mode SID before reading mode bits

parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS mode SID and reads sid.sub_auth[2] to recover the mode bits.

That assumes the ACE carries three subauthorities, but compare_sids() only compares min(a, b) subauthorities. A malicious server can return an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still matches sid_unix_NFS_mode and then drives the sub_auth[2] read four bytes past the end of the ACE.

Require num_subauth >= 3 before treating the ACE as an NFS mode SID. This keeps the fix local to the special-SID mode path without changing compare_sids() semantics for the rest of cifsacl.

AnalysisAI

Out-of-bounds read in Linux kernel SMB client allows malicious SMB servers to disclose kernel memory and potentially crash systems via crafted NFS mode SIDs in ACL responses. Affects Linux kernel 5.4+ with SMB client enabled. Vendor patches released for stable branches 6.6.136, 6.12.84, 6.18.25, 7.0.2, and mainline 7.1-rc1. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation confirmed (not in CISA KEV). Attack requires user interaction (mounting malicious SMB share), reducing practical risk for environments with controlled server connections.

Technical ContextAI

This vulnerability exists in the Linux kernel's CIFS/SMB client implementation, specifically in the parse_dacl() function that processes Access Control Entries (ACEs) from SMB server responses. The code handles special NFS mode SIDs (Security Identifiers) by extracting Unix permission bits from the third subauthority field (sub_auth[2]). The vulnerability arises from an assumption mismatch: parse_dacl() assumes NFS mode SIDs contain at least three subauthorities, but the compare_sids() function only validates the minimum number of subauthorities between compared SIDs. A malicious SMB server can craft an ACE with only two subauthorities that still matches the NFS mode SID pattern, causing the code to read four bytes beyond the ACE buffer boundary when accessing sub_auth[2]. This is a classic array bounds violation where input validation occurs at a different layer than the vulnerable access, creating a gap that attackers can exploit. The fix adds an explicit check requiring num_subauth >= 3 before treating an ACE as carrying NFS mode bits, ensuring the sub_auth[2] access is always within bounds.

RemediationAI

Upgrade to patched Linux kernel versions: 6.6.136+ for 6.6.x series, 6.12.84+ for 6.12.x series, 6.18.25+ for 6.18.x series, 7.0.2+ for 7.0.x series, or 7.1-rc1+ for mainline. Specific fix commits are available for backporting to custom kernels via the referenced git.kernel.org URLs. For systems where immediate kernel updates are not feasible, implement network-level controls to restrict SMB client connections to trusted, verified server infrastructure only-use firewall rules to block outbound SMB ports (445/TCP, 139/TCP) except to allowlisted internal servers, and disable opportunistic SMB mounting features if available. Note that blocking SMB entirely may disrupt legitimate file sharing workflows. Organizations using SELinux or AppArmor can create policies restricting which processes can initiate SMB mounts, limiting attack surface to privileged system services rather than user applications. These compensating controls significantly reduce exposure but do not eliminate the vulnerability-prioritize kernel patching. No known workaround fully mitigates the issue without patching, as the vulnerability is in core kernel code triggered during ACL parsing.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28634 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy