CVE-2026-43490

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: validate inherited ACE SID length<br /> <br /> smb_inherit_dacl() walks the parent directory DACL loaded from the<br /> security descriptor xattr. It verifies that each ACE contains the fixed<br /> SID header before using it, but does not verify that the variable-length<br /> SID described by sid.num_subauth is fully contained in the ACE.<br /> <br /> A malformed inheritable ACE can advertise more subauthorities than are<br /> present in the ACE. compare_sids() may then read past the ACE.<br /> smb_set_ace() also clamps the copied destination SID, but used the<br /> unchecked source SID count to compute the inherited ACE size. That could<br /> advance the temporary inherited ACE buffer pointer and nt_size accounting<br /> past the allocated buffer.<br /> <br /> Fix this by validating the parent ACE SID count and SID length before<br /> using the SID during inheritance. Compute the inherited ACE size from the<br /> copied SID so the size matches the bounded destination SID. Reject the<br /> inherited DACL if size accumulation would overflow smb_acl.size or the<br /> security descriptor allocation size.