CRITICAL🇵🇱 Wersja polska

CVE-2026-43185

CVSS 9.8pub. 2026-05-06upd. 2026-05-11

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix signededness bug in smb_direct_prepare_negotiation() smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message. By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow. This fix replaces min_t(int, ...) with min_t(u32)

🤖 AI Analysis
How it works

The smb_direct_prepare_negotiation() function incorrectly casts unsigned values (__u32) — sp->max_recv_size and req->preferred_send_size — to a signed type (int) before calling min_t(int, ...). An attacker can send a preferred_send_size field with a value of 0x80000000, which when interpreted as a signed number is treated as negative, i.e., less than max_recv_size. This causes setting an overly small limit on the maximum size of received messages. Subsequently, by sending a second packet exceeding 1420 bytes, the attacker triggers a heap buffer overflow. The fix replaces min_t(int, ...) with min_t(u32, ...), eliminating the sign error.

Impact

An attacker can trigger a heap buffer overflow in the kernel context of the operating system, which potentially enables remote code execution (RCE), privilege escalation, or system destabilization.

Mitigation & patch

Patches available from the vendor should be applied according to references — fixes have been published in stable Linux kernel branch repositories (commits: 55abc475d096, 6b4f875aac34, ceae058eb707). It is recommended to update the kernel to a version containing the mentioned patches. As a temporary workaround, consider disabling the ksmbd module if SMB Direct is not required in your environment.

Who is affected

Linux kernel with active ksmbd module (SMB Direct/RDMA protocol support); versions indicated in vendor references (commits in stable kernel branches)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Linux Kernel

    OS
    Linux
    7.05.15 – 6.18.16 (bez)6.19 – 6.19.6 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Memory
CWE
References

Related vulnerabilities

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2022-47986CRITICAL9.8⚠ KEVten sam produkt

IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on t...

CVE-2022-22954CRITICAL9.8⚠ KEVten sam produkt

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-s...

CVE-2020-4006CRITICAL9.1⚠ KEVten sam produkt

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a...