CVE-2026-43350 Overview
CVE-2026-43350 is an out-of-bounds read vulnerability in the Linux kernel's SMB client code. The flaw resides in the parse_dacl() function within the CIFS access control list (cifsacl) handling logic. A malicious SMB server can return a crafted Access Control Entry (ACE) that bypasses subauthority count validation, causing the client to read four bytes past the end of the ACE buffer. The vulnerability affects Linux kernel SMB client implementations that mount remote shares using CIFS with ACL support.
Critical Impact
A malicious or compromised SMB server can trigger an out-of-bounds memory read in connected Linux SMB clients, potentially leading to information disclosure or kernel instability when users mount remote shares.
Affected Products
- Linux Kernel (SMB client, fs/smb/client/cifsacl.c)
- Systems mounting remote shares via the CIFS/SMB client with ACL support
- Multiple stable kernel branches receiving the backported fix
Discovery Timeline
- 2026-05-08 - CVE-2026-43350 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43350
Vulnerability Analysis
The vulnerability resides in parse_dacl() in the Linux kernel CIFS client. The function processes the Discretionary Access Control List (DACL) returned by an SMB server and inspects each ACE to determine if it encodes Unix-style mode bits using the NFS mode Security Identifier (SID) format.
When an ACE SID matches sid_unix_NFS_mode, parse_dacl() reads sid.sub_auth[2] to extract the mode bits. This read assumes the ACE carries at least three subauthorities, but the function performs no explicit count check before dereferencing index 2 of the sub_auth[] array.
The matching logic uses compare_sids(), which only compares min(a, b) subauthorities. A server-supplied SID with num_subauth = 2 and sub_auth[] = {88, 3} matches sid_unix_NFS_mode despite being shorter than expected, causing the subsequent sub_auth[2] access to read past the ACE boundary.
Root Cause
The root cause is missing input validation [NVD-CWE-noinfo, consistent with CWE-125 Out-of-Bounds Read]. The code trusted the SID-comparison result as a proxy for ACE length, conflating identity matching with structural validation. The fix adds a num_subauth >= 3 precondition before treating the ACE as an NFS mode SID, keeping the change scoped to the special-SID path rather than altering compare_sids() semantics used elsewhere in cifsacl.
Attack Vector
An attacker must control or impersonate an SMB server that a Linux client connects to. When the victim mounts a malicious share or reconnects to a compromised server, the server returns a crafted Security Descriptor containing the undersized NFS-mode ACE. The Linux client parses it and reads memory beyond the allocated ACE structure. The CVSS vector indicates user interaction is required (mounting the share), with network attack vector and high availability impact.
No verified public exploit code is available. The vulnerability mechanism is described in prose; see the kernel commits in the references for the precise patch diff.
Detection Methods for CVE-2026-43350
Indicators of Compromise
- Kernel log entries referencing parse_dacl, cifsacl, or KASAN slab-out-of-bounds reports tied to the CIFS module
- Unexpected kernel oops or panic events on hosts that mount SMB shares from untrusted networks
- SMB connections to unknown or unauthorized server endpoints from Linux clients
Detection Strategies
- Inventory Linux hosts running affected kernel versions and identify those with active CIFS mounts using mount -t cifs or /proc/mounts inspection
- Enable kernel address sanitizer (KASAN) on test systems to surface the out-of-bounds read during fuzzing or regression testing
- Audit running kernel versions against the fixed commit hashes 2757ad3e4b6f, 38a69f08ee82, b53b8e98c233, c8eef12af1cc, and f8488c07bea2
Monitoring Recommendations
- Forward kernel ring buffer logs (dmesg, journalctl -k) to a centralized logging platform to capture CIFS subsystem warnings
- Monitor outbound SMB connections (TCP/445) from Linux hosts and alert on connections to unapproved servers
- Track kernel package versions across the fleet and flag systems pending the cifsacl patch
How to Mitigate CVE-2026-43350
Immediate Actions Required
- Apply the upstream Linux kernel patch that enforces num_subauth >= 3 before reading NFS mode bits in parse_dacl()
- Restrict Linux clients to mount SMB shares only from trusted, authenticated servers within controlled network segments
- Disable cifsacl mount option where Unix mode mapping over SMB is not required
Patch Information
The fix has been merged across multiple stable kernel branches. Refer to the upstream commits: Kernel commit 2757ad3e, Kernel commit 38a69f08, Kernel commit b53b8e98, Kernel commit c8eef12a, and Kernel commit f8488c07. Distribution vendors are expected to backport these changes to supported kernel packages.
Workarounds
- Avoid mounting SMB shares with the cifsacl mount option until the patched kernel is installed
- Use firewall rules to block outbound SMB (TCP/445) to untrusted hosts and constrain CIFS use to known internal servers
- Where feasible, prefer alternative file-sharing protocols on untrusted networks until the kernel is updated
# Example: remount existing CIFS shares without the cifsacl option
sudo umount /mnt/share
sudo mount -t cifs //server/share /mnt/share -o username=user,noacl
# Verify mount options exclude cifsacl
mount | grep cifs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
