HIGH
smb Prepath OOB
CVE-2026-43112
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
KernelScan AI5.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath When cifs_sanitize_prepath is called with an empty string or a string containing only delimiters (e.g., "/"), the current logic attempts to check *(cursor2 - 1) before cursor2 has advanced. This results in an out-of-bounds read. This patch adds an early exit check after stripping prepended delimiters. If no path content remains, the function returns NULL. The bug was identified via manual audit and verified using a standalone test case compiled with AddressSanitizer, which triggered a SEGV on affected inputs.
02KernelScan AI Analysis
Risk summary
Systems that mount CIFS/SMB shares are at risk of kernel crashes when processing malformed path strings. The vulnerability can cause information disclosure through out-of-bounds memory reads and system instability through kernel panics.
Vulnerability analysis
The cifs_sanitize_prepath function contains a buffer underflow when processing empty strings or paths containing only delimiters. After stripping leading delimiters, the code attempts to access memory before the buffer start via *(cursor2 - 1) before cursor2 is properly positioned. The fix adds an early exit check to return NULL when no path content remains after delimiter stripping. This vulnerability is triggered during CIFS mount operations and requires local access with mounting privileges.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.209 | a2ba20c17de8 |
| 6.1 | 6.1.175 | fbced3359965 |
| 6.12 | 6.12.83 | 2d29214448ec |
| 6.18 | 6.18.24 | 86f9c23e0814 |
| 6.19 | 6.19.14 | 49b1ce6d7cfb |
| 6.6 | 6.6.136 | 5d4fe469fe7d |
| mainline | 7.0 | 78ec5bf2f589 |