Out-of-Bounds Read in Linux Kernel Affecting CIFS Client
CVE-2026-43112

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-43112?

A vulnerability in the Linux kernel's CIFS client allows for an out-of-bounds read when the cifs_sanitize_prepath function processes an empty string or a string filled with delimiters. This flaw can lead to unexpected behavior, as the logic checks an incorrect pointer prior to advancement, thus enabling a read from outside the allocated memory bounds. The issue was discovered through manual code audits and confirmed with a standalone test case utilizing AddressSanitizer, resulting in a segmentation fault for the affected inputs. An important patch was introduced to prevent this scenario by implementing an early exit check, ensuring that if no valid path content remains, the function terminates gracefully.

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 5d4fe469fe7dbff7d874c196bb680a82f2625d95

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 2d29214448ec0f4e7e18bb1c14dd4a6c07f1c439

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 86f9c23e0814cfdffda9eedf0c591c51ba209010

References

https://git.kernel.org/stable/c/5d4fe469fe7dbff7d874c196b...

https://git.kernel.org/stable/c/2d29214448ec0f4e7e18bb1c1...

https://git.kernel.org/stable/c/86f9c23e0814cfdffda9eedf0...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-43112 Data

JSON