ksmbd: validate inherited ACE SID length_CVE-2026-43490

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: validate inherited ACE SID length

smb_inherit_dacl() walks the parent directory DACL loaded from the
security descriptor xattr. It verifies that each ACE contains the fixed
SID header before using it, but does not verify that the variable-length
SID described by sid.num_subauth is fully contained in the ACE.

A malformed inheritable ACE can advertise more subauthorities than are
present in the ACE. compare_sids() may then read past the ACE.
smb_set_ace() also clamps the copied destination SID, but used the
unchecked source SID count to compute the inherited ACE size. That could
advance the temporary inherited ACE buffer pointer and nt_size accounting
past the allocated buffer.

Fix this by validating the parent ACE SID count and SID length before
using the SID during inheritance. Compute the inherited ACE size from the
copied SID so the size matches the bounded destination SID. Reject the
inherited DACL if size accumulation would overflow smb_acl.size or the
security descriptor allocation size.

AI Analysis

A vulnerability in the Linux kernel allows for a malformed inheritable ACE to advertise more subauthorities than are present in the ACE, potentially leading to a buffer overflow and code execution.

Basic Information

ID CVE-2026-43490

Source Linux

Published May 15, 2026 at 05:15

Modified May 20, 2026 at 16:08

Affected Product

Vendor Linux

Product Linux

Version e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9

Affected Versions Linux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Linux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Linux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Linux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9
Linux Linux 5.15

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor The Linux Foundation

Product Linux Kernel

Version 5.15, e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate inherited ACE SID length\n\nsmb_inherit_dacl() walks the parent directory DACL loaded from the\nsecurity descriptor xattr. It verifies that each ACE contains the fixed\nSID header before using it, but does not verify that the variable-length\nSID described by sid.num_subauth is fully contained in the ACE.\n\nA malformed inheritable ACE can advertise more subauthorities than are\npresent in the ACE. compare_sids() may then read past the ACE.\nsmb_set_ace() also clamps the copied destination SID, but used the\nunchecked source SID count to compute the inherited ACE size. That could\nadvance the temporary inherited ACE buffer pointer and nt_size accounting\npast the allocated buffer.\n\nFix this by validating the parent ACE SID count and SID length before\nusing the SID during inheritance. Compute the inherited ACE size from the\ncopied SID so the size matches the bounded destination SID. Reject the\ninherited DACL if size accumulation would overflow smb_acl.size or the\nsecurity descriptor allocation size.",
    "published": "2026-05-15T05:15:37.666Z",
    "modified": "2026-05-20T16:08:10.161Z",
    "type": "cve",
    "title": "ksmbd: validate inherited ACE SID length",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/47c6e37a77b10e74f70d845ba4ea5d3cafa00336\nhttps://git.kernel.org/stable/c/1aa60fea7f637c071f529ad6784aecca2f2f0c5f\nhttps://git.kernel.org/stable/c/c1d95c995d5bcb24b639200a899eda59cb1e6d64\nhttps://git.kernel.org/stable/c/996454bc0da84d5a1dedb1a7861823087e01a7ae",
    "id": "CVE-2026-43490",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9\nLinux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9\nLinux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9\nLinux Linux e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9\nLinux Linux 5.15",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
    "vendor": "Linux",
    "ai_description": "A vulnerability in the Linux kernel allows for a malformed inheritable ACE to advertise more subauthorities than are present in the ACE, potentially leading to a buffer overflow and code execution.",
    "ai_severity": "High",
    "ai_vendor": "The Linux Foundation",
    "ai_product": "Linux Kernel",
    "ai_version": "5.15, e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
    "ai_score": 8.8
}