Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-43185: Linux kernel ksmbd SMB Direct Negotiation signedness bug fixed
CVE-2026-43185
Summary
A bug in the Linux kernel's ksmbd SMB Direct Negotiation was fixed, which could have allowed an attacker to set an overly large receive size, potentially leading to a heap buffer overflow. This bug has been resolved in the latest Linux kernel update, and it is recommended to update to the latest version to ensure security.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| linux | linux_kernel |
>= 5.15, < 6.18.16 >= 6.19, < 6.19.6 7.0 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
Original title
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix signededness bug in smb_direct_prepare_negotiation()
smb_direct_prepare_negotiation() casts an unsigned __u32 value
...
Original description
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix signededness bug in smb_direct_prepare_negotiation()
smb_direct_prepare_negotiation() casts an unsigned __u32 value
from sp->max_recv_size and req->preferred_send_size to a signed
int before computing min_t(int, ...). A maliciously provided
preferred_send_size of 0x80000000 will return as smaller than
max_recv_size, and then be used to set the maximum allowed
alowed receive size for the next message.
By sending a second message with a large value (>1420 bytes)
the attacker can then achieve a heap buffer overflow.
This fix replaces min_t(int, ...) with min_t(u32)
ksmbd: fix signededness bug in smb_direct_prepare_negotiation()
smb_direct_prepare_negotiation() casts an unsigned __u32 value
from sp->max_recv_size and req->preferred_send_size to a signed
int before computing min_t(int, ...). A maliciously provided
preferred_send_size of 0x80000000 will return as smaller than
max_recv_size, and then be used to set the maximum allowed
alowed receive size for the next message.
By sending a second message with a large value (>1420 bytes)
the attacker can then achieve a heap buffer overflow.
This fix replaces min_t(int, ...) with min_t(u32)
nvd CVSS3.1
9.8
Vulnerability type
CWE-674
Published: 6 May 2026 · Updated: 28 May 2026 · First seen: 8 May 2026