CVE-2011-3191
Description
A signedness error in the Linux kernel's CIFS client allows a malicious server to cause memory corruption via a crafted directory listing response.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A signedness error in the Linux kernel's CIFS client allows a malicious server to cause memory corruption via a crafted directory listing response.
Vulnerability
A signedness error exists in the CIFSFindNext function in fs/cifs/cifssmb.c of the Linux kernel before version 3.1. The name_len variable is declared as a signed int, but it is assigned from resume_name_len, an unsigned value that can be controlled by a remote CIFS server. If the server sends an excessively large value, it becomes negative when cast to signed, bypassing the PATH_MAX check. This negative value is then used as the length parameter in a memcpy call, causing memory corruption. [1][2][4]
Exploitation
An attacker operating a malicious CIFS server sends a specially crafted response to a directory read request, setting resume_name_len to a very large 32-bit value. No authentication is required if the client connects to the attacker's server. The client's kernel processes the response, triggering the signedness issue and leading to memory corruption. [2]
Impact
Successful exploitation results in memory corruption, which can cause a denial of service (system crash) or potentially allow arbitrary code execution with kernel privileges. The exact impact depends on the memory layout and the attacker's ability to control the corrupted data. [1][2]
Mitigation
The vulnerability is fixed in Linux kernel version 3.1 via commit 9438fabb73eb48055b58b89fc51e0bc4db22fabd, which changes name_len to an unsigned type. [4] Users should update to kernel 3.1 or later. No workaround is available. The CVE is not listed on the CISA Known Exploited Vulnerabilities catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- cpe:2.3:o:redhat:enterprise_linux:4.0:*:*:*:*:*:*:*
- Range: <3.1
Patches
19438fabb73ebcifs: fix possible memory corruption in CIFSFindNext
1 file changed · +2 −1
fs/cifs/cifssmb.c+2 −1 modified@@ -4079,7 +4079,8 @@ int CIFSFindNext(const int xid, struct cifs_tcon *tcon, T2_FNEXT_RSP_PARMS *parms; char *response_data; int rc = 0; - int bytes_returned, name_len; + int bytes_returned; + unsigned int name_len; __u16 params, byte_count; cFYI(1, "In FindNext");
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.1nvdMailing ListPatchVendor Advisory
- www.openwall.com/lists/oss-security/2011/08/24/2nvdMailing ListPatchThird Party Advisory
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingPatchThird Party Advisory
- github.com/torvalds/linux/commit/9438fabb73eb48055b58b89fc51e0bc4db22fabdnvdPatchThird Party Advisory
- git.kernel.orgnvd
News mentions
0No linked articles in our index yet.