CVE-2026-43350
Received Received - Intake
Linux Kernel SID Parsing Buffer Overflow

Publication date: 2026-05-08

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: require a full NFS mode SID before reading mode bits parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS mode SID and reads sid.sub_auth[2] to recover the mode bits. That assumes the ACE carries three subauthorities, but compare_sids() only compares min(a, b) subauthorities. A malicious server can return an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still matches sid_unix_NFS_mode and then drives the sub_auth[2] read four bytes past the end of the ACE. Require num_subauth >= 3 before treating the ACE as an NFS mode SID. This keeps the fix local to the special-SID mode path without changing compare_sids() semantics for the rest of cifsacl.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43350
EUVD
EUVD-2026-28634
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's SMB client code related to handling NFS mode SIDs (Security Identifiers). The function parse_dacl() expects an Access Control Entry (ACE) to have three subauthorities when interpreting it as an NFS mode SID. However, compare_sids() only compares the minimum number of subauthorities between two SIDs, allowing a malicious server to craft an ACE with only two subauthorities that still matches the expected SID pattern. This causes parse_dacl() to read beyond the intended memory boundary (reading sub_auth[2] which does not exist), potentially leading to memory corruption or information disclosure. The fix requires that the ACE must have at least three subauthorities before it is treated as an NFS mode SID, preventing the out-of-bounds read.

Impact Analysis

This vulnerability can allow a malicious SMB server to cause the Linux kernel SMB client to read memory beyond the intended bounds. This out-of-bounds read could lead to memory corruption or information disclosure, potentially compromising system stability or leaking sensitive information. An attacker controlling the SMB server could exploit this to disrupt normal operations or gain unauthorized access to data.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by requiring that the number of subauthorities (num_subauth) be at least 3 before treating an ACE as an NFS mode SID. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43350. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart