CVE-2026-43350 Git CVE debrief

Who should care

Linux administrators and security teams running SMB/CIFS client workloads, especially systems that mount shares from untrusted or attacker-controlled SMB servers.

Technical summary

The issue is in parse_dacl() in the SMB client. The code treats an ACE SID matching sid_unix_NFS_mode as an NFS mode SID and then reads sid.sub_auth[2] to reconstruct permission bits. The problem is that compare_sids() only compares the minimum number of subauthorities between two SIDs, so an ACE with num_subauth = 2 can still match the special SID. If that happens, the subsequent sub_auth[2] access reads four bytes past the end of the ACE. The fix is to require num_subauth >= 3 before taking the NFS-mode path, while leaving compare_sids() behavior unchanged for other cifsacl uses.

Defensive priority

High

Recommended defensive actions

• Backport and deploy the kernel fix that requires num_subauth >= 3 before the NFS mode SID path is taken.
• Prioritize patching systems that connect to untrusted SMB/CIFS servers or accept remotely provided ACLs.
• Review exposure for kernels with SMB/CIFS client support enabled and schedule updates according to your normal kernel emergency patch process.
• Monitor vendor advisories and kernel stable updates for the commit series referenced in the CVE record.

Evidence notes

The supplied CVE description states that parse_dacl() can read sid.sub_auth[2] after a compare_sids() match even when the ACE has only two subauthorities, and that a malicious server can send num_subauth = 2 with sub_auth[] = {88, 3}. The CVSS vector in the record is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H, which supports network reachability and user interaction requirements. Supplied timeline fields show CVE published at 2026-05-08T14:16:45.123Z and modified at 2026-05-11T08:16:10.797Z.

Official resources