Namjae

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** An issue exists in the ksmbd module where the `smb inherit dacl()` function trusts the `num aces` value from a parent directory's DACL xattr to determine the size of a heap allocation. An authenticated client can tamper with the `security.NTACL` of a parent directory to provide a large `num aces` value (e.g., 65535) with minimal actual ACE data. This can lead to an uninitialized ~8 MB allocation and may cause a size t multiplication overflow on 32-bit kernels. Additionally, the ACE walk loop fails to properly reject ACEs whose declared size is below the minimum valid on-wire ACE size. The issue was triggered during an SMB2 CREATE operation via the `smb2 open()` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.