CVE-2026-43490 Overview
CVE-2026-43490 is a high-severity vulnerability in the Linux kernel's ksmbd in-kernel SMB server. The flaw resides in smb_inherit_dacl(), which fails to validate the variable-length Security Identifier (SID) inside inheritable Access Control Entries (ACEs) loaded from a parent directory's security descriptor extended attribute. A malformed ACE can advertise more subauthorities than it actually contains, causing compare_sids() to read past the ACE buffer and smb_set_ace() to advance accounting pointers beyond the allocated buffer.
Critical Impact
An authenticated remote attacker with SMB write access can trigger out-of-bounds memory access in the kernel, leading to information disclosure, denial of service, or potential memory corruption.
Affected Products
- Linux kernel ksmbd SMB server component
- Linux distributions shipping vulnerable ksmbd versions prior to the fix commits
- Systems exposing SMB shares via ksmbd with DACL inheritance enabled
Discovery Timeline
- 2026-05-15 - CVE-2026-43490 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-43490
Vulnerability Analysis
The vulnerability exists in the ksmbd DACL inheritance logic. When smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr, it verifies only the fixed ACE header before processing each entry. The function does not confirm that the variable-length SID described by sid.num_subauth fits within the ACE boundaries.
Downstream, compare_sids() reads subauthority values based on the unchecked num_subauth counter. This results in an out-of-bounds read past the ACE buffer. Separately, smb_set_ace() clamps the destination SID copy but computes the inherited ACE size using the unchecked source SID count. The inflated size advances the temporary inherited ACE buffer pointer and the nt_size accumulator past the allocated buffer.
The patches validate the parent ACE SID count and SID length before consumption, compute the inherited ACE size from the bounded destination SID, and reject inherited DACLs when size accumulation would overflow smb_acl.size or the security descriptor allocation.
Root Cause
The root cause is missing input validation on attacker-controlled num_subauth and SID length fields parsed from a stored security descriptor xattr [CWE-125, CWE-787]. The kernel trusted bounds derived from on-disk metadata without verifying that they fit within the containing ACE structure.
Attack Vector
An authenticated SMB user who can write extended attributes or place a crafted security descriptor on a parent directory can trigger inheritance processing on child object creation. The malformed inheritable ACE then drives the out-of-bounds access during DACL propagation inside the kernel.
No verified public proof-of-concept code is available. Refer to the upstream commits for the exact validation logic added by the maintainers: Linux Kernel Commit 1aa60fe and Linux Kernel Commit 47c6e37.
Detection Methods for CVE-2026-43490
Indicators of Compromise
- Unexpected ksmbd kernel oops, panic, or KASAN reports referencing smb_inherit_dacl, compare_sids, or smb_set_ace.
- SMB clients writing unusual security.NTACL or related security descriptor extended attributes on shared directories.
- Crash loops or service restarts of the ksmbd kernel thread following file or directory creation operations.
Detection Strategies
- Enable KASAN on test kernels to catch out-of-bounds reads triggered by malformed inherited ACEs.
- Inventory hosts running ksmbd and verify kernel build identifiers against the fixed commits.
- Correlate SMB authentication events with subsequent kernel log anomalies to identify attacker sessions.
Monitoring Recommendations
- Forward dmesg and /var/log/kern.log to a central log pipeline and alert on ksmbd stack traces.
- Audit SMB share configurations to identify directories with custom DACL inheritance and limit write access.
- Track creation of files and directories on ksmbd shares from low-privileged accounts for anomalous patterns.
How to Mitigate CVE-2026-43490
Immediate Actions Required
- Apply the upstream kernel patches or vendor-supplied stable kernel updates that include the four referenced commits.
- Restrict SMB share write access to trusted, authenticated users until the patched kernel is deployed.
- Disable ksmbd on hosts that do not require an in-kernel SMB server and use a userspace alternative if available.
Patch Information
The fix is distributed across four upstream commits that add SID length validation, recompute inherited ACE sizes from the bounded destination SID, and reject DACLs that would overflow smb_acl.size. Reference commits: Linux Kernel Commit 1aa60fe, Linux Kernel Commit 47c6e37, Linux Kernel Commit 996454b, and Linux Kernel Commit c1d95c9.
Workarounds
- Unload the ksmbd kernel module on systems where SMB serving is not required: modprobe -r ksmbd.
- Block inbound SMB ports (TCP 445) at the network perimeter and restrict access to authenticated management networks.
- Remove inheritable ACEs from shared directories and disable DACL inheritance where business requirements permit.
# Verify ksmbd module status and disable if unused
lsmod | grep ksmbd
systemctl stop ksmbd.service
systemctl disable ksmbd.service
modprobe -r ksmbd
# Restrict SMB exposure at the host firewall
ufw deny 445/tcp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
