{"id":"CVE-2026-43350","summary":"smb: client: require a full NFS mode SID before reading mode bits","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: require a full NFS mode SID before reading mode bits\n\nparse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS\nmode SID and reads sid.sub_auth[2] to recover the mode bits.\n\nThat assumes the ACE carries three subauthorities, but compare_sids()\nonly compares min(a, b) subauthorities.  A malicious server can return\nan ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still\nmatches sid_unix_NFS_mode and then drives the sub_auth[2] read four\nbytes past the end of the ACE.\n\nRequire num_subauth \u003e= 3 before treating the ACE as an NFS mode SID.\nThis keeps the fix local to the special-SID mode path without changing\ncompare_sids() semantics for the rest of cifsacl.","modified":"2026-06-23T03:54:59.198232975Z","published":"2026-05-08T13:41:53.276Z","related":["openSUSE-SU-2026:10793-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43350.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1592a6cd6f653f2d24572a6976c7a775b19f4940"},{"type":"WEB","url":"https://git.kernel.org/stable/c/23b54d6cc3ef30a51d984dc74364f24039ae2ecb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2757ad3e4b6f9e0fed4c7739594e702abc5cab21"},{"type":"WEB","url":"https://git.kernel.org/stable/c/38a69f08ee82c450d3e4168707fff2e317dc3ff7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8bd4cad3f458d11650d51c2d24b03fb1770ae6cc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b53b8e98c23310294fc45fc686db5ee860311896"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c8eef12af1cc73031639ea7cf16e0b10e2536b0b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f8488c07bea2431ee12a6067d736578064fa46b4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43350.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43350"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e2f8fbfb8d09c06decde162090fac3ee220aa280"},{"fixed":"23b54d6cc3ef30a51d984dc74364f24039ae2ecb"},{"fixed":"1592a6cd6f653f2d24572a6976c7a775b19f4940"},{"fixed":"8bd4cad3f458d11650d51c2d24b03fb1770ae6cc"},{"fixed":"b53b8e98c23310294fc45fc686db5ee860311896"},{"fixed":"c8eef12af1cc73031639ea7cf16e0b10e2536b0b"},{"fixed":"38a69f08ee82c450d3e4168707fff2e317dc3ff7"},{"fixed":"f8488c07bea2431ee12a6067d736578064fa46b4"},{"fixed":"2757ad3e4b6f9e0fed4c7739594e702abc5cab21"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43350.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.4.0"},{"fixed":"5.10.259"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.210"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.136"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.84"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.25"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.2"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43350.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H"}]}