Skip to main content

Linux Kernel EUVDEUVD-2026-28668

| CVE-2026-43362 HIGH
Out-of-bounds Write (CWE-787)
2026-05-08 Linux GHSA-3mqh-w39c-q3pj
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:28 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
8.1 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
HIGH 8.1
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix in-place encryption corruption in SMB2_write()

SMB2_write() places write payload in iov[1..n] as part of rq_iov. smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message() encrypts iov[1] in-place, replacing the original plaintext with ciphertext. On a replayable error, the retry sends the same iov[1] which now contains ciphertext instead of the original data, resulting in corruption.

The corruption is most likely to be observed when connections are unstable, as reconnects trigger write retries that re-send the already-encrypted data.

This affects SFU mknod, MF symlinks, etc. On kernels before 6.10 (prior to the netfs conversion), sync writes also used this path and were similarly affected. The async write path wasn't unaffected as it uses rq_iter which gets deep-copied.

Fix by moving the write payload into rq_iter via iov_iter_kvec(), so smb3_init_transform_rq() deep-copies it before encryption.

AnalysisAI

In-place encryption in the Linux kernel's SMB client corrupts write payloads during retry attempts, potentially causing data integrity loss and denial of service when SMB connections experience transient failures. The flaw affects SMB3 encrypted writes where the encryption process modifies the original buffer in place; on replayable errors (like network interruptions), retries re-send already-encrypted data as if it were plaintext, resulting in double-encryption and corrupted writes. This particularly impacts special file operations (SFU mknod, MF symlinks) and sync writes on pre-6.10 kernels. Patches are available across multiple stable kernel branches (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score is very low (0.01%), indicating minimal observed exploitation likelihood, and no active exploitation or public POC is documented.

Technical ContextAI

The vulnerability exists in the SMB client implementation (fs/smb/client/) where SMB2_write() constructs request I/O vectors with write payloads placed in iov[1..n]. The encryption function smb3_init_transform_rq() performs a pointer-share rather than deep-copy of rq_iov, causing crypt_message() to encrypt the buffer in place. On network errors triggering retry logic (common during reconnects or unstable connections), the SMB client resubmits the same iov structure, which now contains ciphertext instead of plaintext. This results in double-encryption where encrypted data is encrypted again and sent to the server, which cannot decrypt it properly, causing write failures or corrupted file data. The issue stems from improper buffer management in the encryption layer where the retry path lacks awareness that the buffer has been mutated. The fix migrates write payloads from direct iov array usage to iov_iter_kvec(), forcing deep-copy semantics in the encryption path. This affects kernels with SMB3 encryption support for special file operations throughout the codebase history (since initial SMB3 implementation commit 1da177e4c3f4), with sync write paths also vulnerable before the 6.10 netfs conversion.

RemediationAI

Update to patched Linux kernel versions: 7.0 or later for mainline, or stable branches 6.19.9, 6.18.19, 6.12.78, or 6.6.130 depending on your kernel series. Patches are available from kernel.org stable git at https://git.kernel.org/stable/c/438e77435aee2894d5edf90be5c87004a57f6258 (6.6 series), https://git.kernel.org/stable/c/d78840a6a38d312dc1a51a65317bb67e46f0b929 (6.12 series), https://git.kernel.org/stable/c/52327268224fb9ccc7ecfbbdfdfff54b6e93c518 (6.18 series), https://git.kernel.org/stable/c/92e64f1852f455f57d0850989e57c30d7fac7d95 (6.19 series), and https://git.kernel.org/stable/c/aea5e37388a080361110ab5790f57ae0af383650 (mainline). If immediate patching is not feasible, temporary mitigation involves disabling SMB3 encryption (seal=0 mount option), though this reduces security by transmitting data in cleartext and is only appropriate for trusted networks. This workaround trades confidentiality for integrity but eliminates the in-place encryption corruption issue. Note that disabling encryption may violate security policies and should only be temporary until patching. Organizations relying on special file operations over SMB (Unix extensions, symlinks) should prioritize patching as no effective workaround exists for those scenarios without disabling encryption entirely.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28668 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy