CVE-2026-43490 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and administrators running ksmbd-based SMB server functionality should prioritize this. Any environment that accepts or processes inherited ACLs from untrusted or malformed security descriptor xattrs is in scope.

Technical summary

The vulnerability is in smb_inherit_dacl() in ksmbd. The code checked that an ACE contained the fixed SID header, but did not verify that the variable-length SID described by sid.num_subauth was fully contained within the ACE. As a result, compare_sids() could read past the ACE when a malformed inheritable ACE claimed more subauthorities than were present. The same unchecked SID count was also used by smb_set_ace() to compute inherited ACE size, which could advance the temporary inherited ACE buffer pointer and nt_size accounting beyond the allocated buffer. The fix validates the parent ACE SID count and SID length before using it, computes inherited ACE size from the copied SID, and rejects inheritance if size accumulation would overflow smb_acl.size or the security descriptor allocation size.

Defensive priority

High. The supplied CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates a remotely reachable, low-complexity issue with potentially severe impact if ksmbd processes a crafted ACL path.

Recommended defensive actions

• Apply the Linux kernel fixes referenced by the supplied kernel.org commits and update to a release that includes the SID-length validation change.
• If you run ksmbd, review whether SMB server functionality is enabled on production systems and limit exposure to trusted networks where possible.
• Prioritize validation of kernel updates on systems that process inherited ACLs from untrusted shares or metadata sources.
• Monitor vendor advisories and distribution kernel backports tied to the supplied CVE and kernel.org references.
• After patching, verify the running kernel build includes the ksmbd inheritance fix by checking the vendor or stable backport notes.

Evidence notes

This debrief is based only on the supplied CVE description, NVD metadata, and kernel.org source references. The description explicitly states that smb_inherit_dacl() did not verify the full variable-length SID, that compare_sids() could read past the ACE, and that smb_set_ace() used an unchecked source SID count for size calculations. The record was published on 2026-05-15 and modified on 2026-05-20. No additional exploitation detail is assumed beyond the provided text and CVSS metadata.

Official resources