CVE-2026-43112
Undergoing Analysis Undergoing Analysis - In Progress
Out-of-Bounds Read in Linux Kernel SMB Client

Publication date: 2026-05-06

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath When cifs_sanitize_prepath is called with an empty string or a string containing only delimiters (e.g., "/"), the current logic attempts to check *(cursor2 - 1) before cursor2 has advanced. This results in an out-of-bounds read. This patch adds an early exit check after stripping prepended delimiters. If no path content remains, the function returns NULL. The bug was identified via manual audit and verified using a standalone test case compiled with AddressSanitizer, which triggered a SEGV on affected inputs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43112
EUVD
EUVD-2026-27634
Affected Vendors & Products
Showing 14 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.16
linux linux_kernel 5.16
linux linux_kernel 5.16
linux linux_kernel 5.16
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.24 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.14 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.83 (exc)
linux linux_kernel From 5.16.1 (inc) to 6.6.136 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's SMB client code, specifically in the function cifs_sanitize_prepath. When this function is called with an empty string or a string containing only delimiters such as "/", it attempts to read memory before the start of the string, causing an out-of-bounds read.

The issue arises because the code checks the character before the current cursor position without ensuring the cursor has advanced, leading to invalid memory access.

The fix involves adding an early exit after removing leading delimiters; if no valid path content remains, the function returns NULL to prevent the out-of-bounds read.

Impact Analysis

This vulnerability can cause the Linux kernel to perform an out-of-bounds read, which may lead to a segmentation fault (SEGV) and crash the affected system or process.

Such crashes can result in denial of service conditions, potentially disrupting normal operations that rely on SMB client functionality.

Detection Guidance

This vulnerability was identified via manual audit and verified using a standalone test case compiled with AddressSanitizer, which triggered a segmentation fault (SEGV) on affected inputs.

There are no specific commands or network detection methods provided to detect this vulnerability on your system or network.

Mitigation Strategies

The vulnerability has been resolved by a patch that adds an early exit check in the cifs_sanitize_prepath function to prevent out-of-bounds reads.

Immediate mitigation steps would include updating the Linux kernel to a version that includes this patch.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43112. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart