CVE-2026-43350
Description
In the Linux kernel, the following vulnerability has been resolved:
smb: client: require a full NFS mode SID before reading mode bits
parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS mode SID and reads sid.sub_auth[2] to recover the mode bits.
That assumes the ACE carries three subauthorities, but compare_sids() only compares min(a, b) subauthorities. A malicious server can return an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still matches sid_unix_NFS_mode and then drives the sub_auth[2] read four bytes past the end of the ACE.
Require num_subauth >= 3 before treating the ACE as an NFS mode SID. This keeps the fix local to the special-SID mode path without changing compare_sids() semantics for the rest of cifsacl.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's SMB client, a missing subauthority count check in parse_dacl() allows a malicious server to cause an out-of-bounds read when handling NFS mode SIDs, potentially leading to information disclosure.
Vulnerability
Details
The vulnerability resides in the Linux kernel's CIFS/SMB client, specifically in the parse_dacl() function. When processing an Access Control Entry (ACE), if its Security Identifier (SID) matches sid_unix_NFS_mode, the function reads sid.sub_auth[2] to extract mode bits. However, compare_sids() only compares the minimum number of subauthorities, so a crafted ACE with only two subauthorities (e.g., {88,3}) still matches, and then accessing sub_auth[2] reads four bytes beyond the ACE boundary [1][2][3][4].
Exploitation
An attacker controlling a malicious SMB server can send a specially crafted ACE to a client mounting a share. The client parses the ACL during extended attribute queries (e.g., for "system.posix_acl_access"). No authentication beyond a standard SMB session is required for the server to send malicious ACL data. The client must be using the Linux kernel's CIFS client (cifs.ko) and accessing a share that triggers parsing of NFS mode SIDs.
Impact
Successful exploitation leads to an out-of-bounds read of four bytes past the ACE. This could leak kernel memory, potentially useful for bypassing KASLR or other mitigations. The vulnerability is rated High with a CVSS v3 score of 7.6, indicating significant confidentiality impact. There is no evidence of remote code execution, but information disclosure could facilitate further attacks.
Mitigation
The fix requires num_subauth >= 3 before treating an ACE as an NFS mode SID [1][2][3][4]. Users should update to a kernel version containing the commit or apply the patch. There is no workaround other than avoiding untrusted SMB servers.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/2757ad3e4b6f9e0fed4c7739594e702abc5cab21nvdPatch
- git.kernel.org/stable/c/38a69f08ee82c450d3e4168707fff2e317dc3ff7nvdPatch
- git.kernel.org/stable/c/b53b8e98c23310294fc45fc686db5ee860311896nvdPatch
- git.kernel.org/stable/c/c8eef12af1cc73031639ea7cf16e0b10e2536b0bnvdPatch
- git.kernel.org/stable/c/f8488c07bea2431ee12a6067d736578064fa46b4nvdPatch
News mentions
0No linked articles in our index yet.