CVE-2026-43185
CRITICAL EPSS 45.3%
Published May 6, 20261mo ago · Modified Jun 17, 20261w ago
9.8 CVSS 3.1
Published May 6, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago
Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix signededness bug in smb_direct_prepare_negotiation() smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message. By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow. This fix replaces min_t(int, ...) with min_t(u32)
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
45.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-674
Affected Products 3
References 3
- git.kernel.org https://git.kernel.org/stable/c/55abc475d096da4a5356b6efb0cfdc6156bc1550
- git.kernel.org https://git.kernel.org/stable/c/6b4f875aac344cdd52a1f34cc70ed2f874a65757
- git.kernel.org https://git.kernel.org/stable/c/ceae058eb707ddd0d68f0872f9d9f23b7c30c37b
Remediation
- git.kernel.org https://git.kernel.org/stable/c/55abc475d096da4a5356b6efb0cfdc6156bc1550
- git.kernel.org https://git.kernel.org/stable/c/6b4f875aac344cdd52a1f34cc70ed2f874a65757
- git.kernel.org https://git.kernel.org/stable/c/ceae058eb707ddd0d68f0872f9d9f23b7c30c37b