CRITICAL
ksmbd RDMA Overflow
CVE-2026-43185
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI9.8CRITICAL
01Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix signededness bug in smb_direct_prepare_negotiation() smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message. By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow. This fix replaces min_t(int, ...) with min_t(u32)
02KernelScan AI Analysis
Risk summary
Remote unauthenticated SMB clients can exploit a signedness bug in ksmbd's RDMA transport negotiation to cause heap buffer overflows. This allows arbitrary code execution with kernel privileges on systems running ksmbd with RDMA support.
Vulnerability analysis
The vulnerability occurs in smb_direct_prepare_negotiation() where unsigned 32-bit values from sp->max_recv_size and req->preferred_send_size are cast to signed integers before min_t() comparison. An attacker can send preferred_send_size=0x80000000, which when cast to signed int becomes negative and is incorrectly chosen as the minimum, bypassing size limits. A subsequent large message (>1420 bytes) then triggers a heap buffer overflow when the kernel allocates or copies based on the corrupted size limit. The fix changes min_t(int, ...) to min_t(u32, ...) to preserve unsigned comparison semantics.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.16 | ceae058eb707 |
| 6.19 | 6.19.6 | 55abc475d096 |
| mainline | 7.0 | 6b4f875aac34 |