CVE-2026-43490
Description
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: validate inherited ACE SID length
smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.
A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.
Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing SID length validation in ksmbd's DACL inheritance logic allows out-of-bounds reads and writes, leading to local privilege escalation in the Linux kernel.
Vulnerability
Overview
In the Linux kernel's ksmbd (SMB/CIFS server) implementation, the smb_inherit_dacl() function lacked proper validation of the variable-length Security Identifier (SID) within inherited Access Control Entries (ACEs). When inheriting a DACL from a parent directory, the function verified only the fixed SID header but not that the number of subauthorities (sid.num_subauth) fit within the ACE boundaries [1] [2]. An attacker with write access to a parent directory's security descriptor could craft an inheritable ACE whose SID claims more subauthorities than actually present, causing compare_sids() to read past the ACE during subsequent operations [3].
Attack
Vector and Requirements
Exploiting this flaw requires the ability to write a malformed security descriptor xattr on the filesystem that ksmbd serves, which typically necessitates local access or the ability to create files/directories with specific security attributes. The vulnerability is triggered during directory traversal when an inheritable DACL is propagated from a parent to a child object, allowing the crafted SID length to go unchecked [4]. No further authentication beyond standard filesystem permissions is needed once the malformed descriptor is in place.
Impact
A successful exploit could enable an unprivileged local attacker to cause a kernel memory corruption by advancing the inherited ACE buffer pointer and nt_size accounting past the allocated buffer, or by reading kernel memory out-of-bounds (OOB) when compare_sids() is called. This opens the door to escalation of privileges beyond the user's assigned permissions, potentially compromising the entire system [1]. The CVSS v3 score of 8.8 (High) reflects the high impact on confidentiality, integrity, and availability.
Mitigation
Status
The Linux kernel upstream has resolved the issue by validating the parent ACE SID count and length before using the SID during inheritance, computing the inherited ACE size from the copied (bounded) SID, and rejecting inherited DACLs that would cause size overflow [1] [3]. The fix is incorporated in the stable kernel branches tracked by commits 47c6e37a77b1, 1aa60fea7f63, c1d95c995d5b, and 996454bc0da8. Users should update to a kernel version containing any of these commits to mitigate the vulnerability.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
447c6e37a77b11aa60fea7f63c1d95c995d5b996454bc0da8Vulnerability mechanics
Root cause
"Missing validation of the variable-length SID subauthority count in inherited ACEs allows out-of-bounds reads and writes in ksmbd's DACL inheritance logic."
Attack vector
An attacker with write access to a parent directory's security descriptor xattr can craft a malformed inheritable ACE whose SID header advertises more subauthorities (num_subauth) than are actually present in the ACE buffer. When smb_inherit_dacl() processes this ACE, compare_sids() reads past the ACE boundary, and smb_set_ace() uses the unchecked source SID count to compute the inherited ACE size, potentially advancing the temporary buffer pointer and nt_size beyond the allocated security descriptor. The attack requires the ability to set an extended attribute (security.NTACL) on a directory that is shared via ksmbd.
Affected code
The vulnerability resides in the smb_inherit_dacl() function which walks the parent directory DACL loaded from the security descriptor xattr. The function verifies the fixed ACE header but fails to validate that the variable-length SID (num_subauth) is fully contained within the ACE before calling compare_sids() and smb_set_ace().
What the fix does
The patches add validation of the parent ACE's SID subauthority count and total SID length before the SID is used during inheritance [patch_id=424481, patch_id=424480]. The inherited ACE size is now computed from the copied (bounded) destination SID rather than the unchecked source SID count, preventing buffer overflows during the size accumulation loop [patch_id=424483]. Additionally, the patches reject the inherited DACL if the size accumulation would overflow smb_acl.size or exceed the security descriptor allocation size [patch_id=424482].
Preconditions
- inputAttacker must be able to set the security.NTACL extended attribute on a directory shared by ksmbd, containing a malformed inheritable ACE with an inflated SID subauthority count.
- authAttacker needs write access to the parent directory's security descriptor xattr on the server filesystem.
Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.