CVE-2026-43362

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix in-place encryption corruption in SMB2_write()<br /> <br /> SMB2_write() places write payload in iov[1..n] as part of rq_iov.<br /> smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message()<br /> encrypts iov[1] in-place, replacing the original plaintext with<br /> ciphertext. On a replayable error, the retry sends the same iov[1]<br /> which now contains ciphertext instead of the original data,<br /> resulting in corruption.<br /> <br /> The corruption is most likely to be observed when connections are<br /> unstable, as reconnects trigger write retries that re-send the<br /> already-encrypted data.<br /> <br /> This affects SFU mknod, MF symlinks, etc. On kernels before<br /> 6.10 (prior to the netfs conversion), sync writes also used<br /> this path and were similarly affected. The async write path<br /> wasn&amp;#39;t unaffected as it uses rq_iter which gets deep-copied.<br /> <br /> Fix by moving the write payload into rq_iter via iov_iter_kvec(),<br /> so smb3_init_transform_rq() deep-copies it before encryption.