CVE-2026-43362 (GCVE-0-2026-43362)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-09 04:10
VLAI?
Title
smb: client: fix in-place encryption corruption in SMB2_write()
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix in-place encryption corruption in SMB2_write()
SMB2_write() places write payload in iov[1..n] as part of rq_iov.
smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message()
encrypts iov[1] in-place, replacing the original plaintext with
ciphertext. On a replayable error, the retry sends the same iov[1]
which now contains ciphertext instead of the original data,
resulting in corruption.
The corruption is most likely to be observed when connections are
unstable, as reconnects trigger write retries that re-send the
already-encrypted data.
This affects SFU mknod, MF symlinks, etc. On kernels before
6.10 (prior to the netfs conversion), sync writes also used
this path and were similarly affected. The async write path
wasn't unaffected as it uses rq_iter which gets deep-copied.
Fix by moving the write payload into rq_iter via iov_iter_kvec(),
so smb3_init_transform_rq() deep-copies it before encryption.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < 438e77435aee2894d5edf90be5c87004a57f6258
(git)
Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < 52327268224fb9ccc7ecfbbdfdfff54b6e93c518 (git) Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < 92e64f1852f455f57d0850989e57c30d7fac7d95 (git) Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < aea5e37388a080361110ab5790f57ae0af383650 (git) Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < d78840a6a38d312dc1a51a65317bb67e46f0b929 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "438e77435aee2894d5edf90be5c87004a57f6258",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "52327268224fb9ccc7ecfbbdfdfff54b6e93c518",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "92e64f1852f455f57d0850989e57c30d7fac7d95",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "aea5e37388a080361110ab5790f57ae0af383650",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "d78840a6a38d312dc1a51a65317bb67e46f0b929",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix in-place encryption corruption in SMB2_write()\n\nSMB2_write() places write payload in iov[1..n] as part of rq_iov.\nsmb3_init_transform_rq() pointer-shares rq_iov, so crypt_message()\nencrypts iov[1] in-place, replacing the original plaintext with\nciphertext. On a replayable error, the retry sends the same iov[1]\nwhich now contains ciphertext instead of the original data,\nresulting in corruption.\n\nThe corruption is most likely to be observed when connections are\nunstable, as reconnects trigger write retries that re-send the\nalready-encrypted data.\n\nThis affects SFU mknod, MF symlinks, etc. On kernels before\n6.10 (prior to the netfs conversion), sync writes also used\nthis path and were similarly affected. The async write path\nwasn\u0027t unaffected as it uses rq_iter which gets deep-copied.\n\nFix by moving the write payload into rq_iter via iov_iter_kvec(),\nso smb3_init_transform_rq() deep-copies it before encryption."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T04:10:40.255Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/438e77435aee2894d5edf90be5c87004a57f6258"
},
{
"url": "https://git.kernel.org/stable/c/52327268224fb9ccc7ecfbbdfdfff54b6e93c518"
},
{
"url": "https://git.kernel.org/stable/c/92e64f1852f455f57d0850989e57c30d7fac7d95"
},
{
"url": "https://git.kernel.org/stable/c/aea5e37388a080361110ab5790f57ae0af383650"
},
{
"url": "https://git.kernel.org/stable/c/d78840a6a38d312dc1a51a65317bb67e46f0b929"
}
],
"title": "smb: client: fix in-place encryption corruption in SMB2_write()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43362",
"datePublished": "2026-05-08T14:21:16.358Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-09T04:10:40.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-43362",
"date": "2026-05-09",
"epss": "0.0001",
"percentile": "0.01237"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-43362\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-08T15:16:47.133\",\"lastModified\":\"2026-05-08T15:16:47.133\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix in-place encryption corruption in SMB2_write()\\n\\nSMB2_write() places write payload in iov[1..n] as part of rq_iov.\\nsmb3_init_transform_rq() pointer-shares rq_iov, so crypt_message()\\nencrypts iov[1] in-place, replacing the original plaintext with\\nciphertext. On a replayable error, the retry sends the same iov[1]\\nwhich now contains ciphertext instead of the original data,\\nresulting in corruption.\\n\\nThe corruption is most likely to be observed when connections are\\nunstable, as reconnects trigger write retries that re-send the\\nalready-encrypted data.\\n\\nThis affects SFU mknod, MF symlinks, etc. On kernels before\\n6.10 (prior to the netfs conversion), sync writes also used\\nthis path and were similarly affected. The async write path\\nwasn\u0027t unaffected as it uses rq_iter which gets deep-copied.\\n\\nFix by moving the write payload into rq_iter via iov_iter_kvec(),\\nso smb3_init_transform_rq() deep-copies it before encryption.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/438e77435aee2894d5edf90be5c87004a57f6258\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/52327268224fb9ccc7ecfbbdfdfff54b6e93c518\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/92e64f1852f455f57d0850989e57c30d7fac7d95\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/aea5e37388a080361110ab5790f57ae0af383650\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d78840a6a38d312dc1a51a65317bb67e46f0b929\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…