CVE-2026-43362
Received Received - Intake
Buffer Overflow in Linux Kernel SMB Client

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix in-place encryption corruption in SMB2_write() SMB2_write() places write payload in iov[1..n] as part of rq_iov. smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message() encrypts iov[1] in-place, replacing the original plaintext with ciphertext. On a replayable error, the retry sends the same iov[1] which now contains ciphertext instead of the original data, resulting in corruption. The corruption is most likely to be observed when connections are unstable, as reconnects trigger write retries that re-send the already-encrypted data. This affects SFU mknod, MF symlinks, etc. On kernels before 6.10 (prior to the netfs conversion), sync writes also used this path and were similarly affected. The async write path wasn't unaffected as it uses rq_iter which gets deep-copied. Fix by moving the write payload into rq_iter via iov_iter_kvec(), so smb3_init_transform_rq() deep-copies it before encryption.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43362
EUVD
EUVD-2026-28668
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel to 6.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's SMB client implementation, specifically in the SMB2_write() function. The issue arises because the write payload is placed in a shared memory area (iov[1..n]) that is pointer-shared during encryption. When an error occurs that allows a retry, the retry sends the already-encrypted data instead of the original plaintext, causing data corruption.

The problem is most noticeable when network connections are unstable, as reconnects trigger write retries that resend ciphertext instead of the original data. The fix involves deep-copying the write payload before encryption to prevent in-place corruption.


How can this vulnerability impact me? :

This vulnerability can lead to data corruption during SMB write operations, especially in unstable network conditions where retries occur. The corrupted data can affect file operations such as SFU mknod and MF symlinks, potentially causing loss or alteration of important data.

If your system relies on SMB for file sharing or network storage, this could result in unreliable data writes and integrity issues.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been fixed in Linux kernel version 6.10 and later. To mitigate this vulnerability, you should update your Linux kernel to version 6.10 or a later release that includes the fix.

The fix involves correcting the in-place encryption corruption in SMB2_write() by deep-copying the write payload before encryption, preventing corrupted data retransmission on retries.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart