CVE-2026-43185

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix signededness bug in smb_direct_prepare_negotiation() smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message. By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow. This fix replaces min_t(int, ...) with min_t(u32)

CVSS v3.1 Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS — Exploit Prediction

0.0005

Probability of exploitation

0.17%

Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-674 CWE-674

Affected Products

Vendor	Product	Versions
linux	linux_kernel	5.15 — 6.18.16
linux	linux_kernel	6.19 — 6.19.6
linux	linux_kernel	All

References

Advisories & Patches

https://git.kernel.org/stable/c/55abc475d096da4a5356b6efb0cfdc6156bc1550 https://git.kernel.org/stable/c/6b4f875aac344cdd52a1f34cc70ed2f874a65757 https://git.kernel.org/stable/c/ceae058eb707ddd0d68f0872f9d9f23b7c30c37b

Frequently Asked Questions

What is CVE-2026-43185? +

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix signededness bug in smb_direct_prepare_negotiation() smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message. By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow. This fix replaces min_t(int, ...) with min_t(u32) It has a CVSS v3.1 base score of 9.8 (CRITICAL).

How severe is CVE-2026-43185? +

CVE-2026-43185 has a CVSS v3.1 score of 9.8 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately. The EPSS score is 0.0005, placing it in the 0th percentile for exploitation probability.

What products are affected by CVE-2026-43185? +

CVE-2026-43185 affects products from linux, specifically: linux_kernel. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2026-43185? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-10728

When the module renders a Svg file that contains a <pattern> element, it might end up rendering it recursively leading …

CVE-2025-11896

In Xpdf 4.05 (and earlier), a PDF object loop in a CMap, via the "UseCMap" entry, leads to infinite recursion …

CVE-2026-41673

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to …

CVE-2023-51803 9.8

LinuxServer.io Heimdall before 2.5.7 does not prevent use of icons that have non-image data such as the "<?php ?>" substring.

CVE-2026-40324 9.1

Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser …

CVE-2024-37973 8.8

Secure Boot Security Feature Bypass Vulnerability