CVE-2026-43490

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description In the ksmbd module, the smb inherit dacl() function fails to verify that the variable-length Security Identifier (SID) described by sid.num subauth is fully contained within the Access Control Entry (ACE). A malformed inheritable ACE can advertise more subauthorities than are present, potentially causing compare sids() to read past the ACE. Additionally, smb set ace() uses an unchecked source SID count to compute the inherited ACE size, which may advance the temporary inherited ACE buffer pointer and nt size accounting beyond the allocated buffer.

Recommendations Validate the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID to ensure the size matches the bounded destination SID. Reject the inherited Discretionary Access Control List (DACL) if size accumulation would overflow smb acl.size or the security descriptor allocation size.