CVE-2026-43362 Overview
CVE-2026-43362 is a high-severity flaw in the Linux kernel SMB client that corrupts data during encrypted SMB2 write retries. The SMB2_write() function places write payload in iov[1..n] as part of rq_iov, and smb3_init_transform_rq() pointer-shares this structure. When crypt_message() encrypts iov[1] in-place, the original plaintext is replaced with ciphertext. On a replayable error, the retry resends the same iov[1] containing ciphertext instead of plaintext, corrupting data on the server. The flaw affects SFU mknod operations, MF symlinks, and on kernels prior to 6.10, synchronous writes that used this code path.
Critical Impact
Silent data corruption on SMB shares when connections are unstable and write retries occur, with no error returned to the application.
Affected Products
- Linux Kernel (multiple stable branches)
- Linux Kernel 7.0-rc1, 7.0-rc2, 7.0-rc3
- SMB client subsystem (fs/smb/client)
Discovery Timeline
- 2026-05-08 - CVE-2026-43362 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43362
Vulnerability Analysis
The vulnerability resides in the Linux kernel SMB client write path, specifically in SMB2_write() within fs/smb/client/smb2pdu.c. The function constructs a request using an I/O vector array rq_iov, placing the write payload in iov[1..n]. When SMB3 encryption is negotiated, smb3_init_transform_rq() builds a transform request but only pointer-shares the original rq_iov rather than performing a deep copy.
The encryption routine crypt_message() then encrypts the buffer in place, overwriting the plaintext payload with ciphertext. If the server returns a replayable error or the connection drops, the SMB client retries the same request. The retry transmits already-encrypted data as if it were plaintext, which the server then attempts to encrypt again, producing corrupted output on disk. This is classified under [CWE-787] Out-of-Bounds Write due to the integrity violation in buffer handling.
Root Cause
The root cause is shared-pointer semantics between the original request and the transform request. Because rq_iov is not deep-copied before encryption, the original payload buffer is mutated. The asynchronous write path was unaffected because it uses rq_iter, which is deep-copied during transform construction.
Attack Vector
Exploitation requires network access to an SMB server and conditions that trigger write retries, such as unstable network links or transient server errors. An attacker positioned to induce reconnects on encrypted SMB sessions can cause silent data corruption on files written by victim clients. The CVSS vector indicates user interaction is required and the impact is on integrity and availability rather than confidentiality.
The fix moves the write payload into rq_iter via iov_iter_kvec(), ensuring smb3_init_transform_rq() performs a deep copy before encryption. Refer to the Linux Kernel Commit 438e77435 for the upstream patch.
Detection Methods for CVE-2026-43362
Indicators of Compromise
- Unexplained file corruption on SMB shares accessed by Linux clients with SMB3 encryption enabled
- Kernel log entries indicating SMB session reconnects or replayable write errors
- Mismatched file checksums between client-side source data and server-side stored data
- Increased SMB retransmissions correlated with corrupted writes on encrypted shares
Detection Strategies
- Audit running kernel versions across Linux fleet and compare against fixed stable branch commits referenced in the vendor advisory
- Monitor dmesg and /var/log/kern.log for cifs or smb reconnect messages combined with write errors
- Implement integrity verification (file hashing) on critical data written to SMB3-encrypted shares from Linux clients
Monitoring Recommendations
- Track SMB session stability metrics and correlate disconnect events with file write operations
- Enable verbose CIFS logging via echo 7 > /proc/fs/cifs/cifsFYI in test environments to surface retry behavior
- Centralize Linux kernel logs into a SIEM and alert on SMB error patterns coinciding with reconnects
How to Mitigate CVE-2026-43362
Immediate Actions Required
- Inventory all Linux systems mounting SMB3-encrypted shares and identify kernels missing the upstream fix
- Apply the patched kernel from your distribution as soon as it becomes available
- For unstable network segments, schedule a maintenance window to reboot into the patched kernel
Patch Information
The fix has been merged into multiple stable kernel branches. Reference commits include 438e77435aee, 52327268224f, 92e64f1852f4, aea5e37388a0, and d78840a6a38d. The patch moves the write payload from rq_iov into rq_iter via iov_iter_kvec(), forcing a deep copy before encryption.
Workarounds
- Disable SMB3 encryption on affected mounts where data sensitivity allows, removing seal from mount options
- Stabilize network paths between Linux clients and SMB servers to reduce retry events
- Restrict Linux SMB client usage to read-only mounts where feasible until patches are applied
# Check current kernel version and CIFS module status
uname -r
modinfo cifs | grep -E '^(version|filename)'
# Inspect active SMB mounts for encryption (seal) option
cat /proc/mounts | grep cifs
mount | grep -i seal
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
