smb: client: fix in-place encryption corruption in SMB2_write()

CVE	CVE-2026-43362
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-08 15:16:47 UTC
Updated	2026-05-11 08:16:11 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: smb: client: fix in-place encryption corruption in SMB2_write() SMB2_write() places write payload in iov[1..n] as part of rq_iov. smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message() encrypts iov[1] in-place, replacing the original plaintext with ciphertext. On a replayable error, the retry sends the same iov[1] which now contains ciphertext instead of the original data, resulting in corruption. The corruption is most likely to be observed when connections are unstable, as reconnects trigger write retries that re-send the already-encrypted data. This affects SFU mknod, MF symlinks, etc. On kernels before 6.10 (prior to the netfs conversion), sync writes also used this path and were similarly affected. The async write path wasn't unaffected as it uses rq_iter which gets deep-copied. Fix by moving the write payload into rq_iter via iov_iter_kvec(), so smb3_init_transform_rq() deep-copies it before encryption.

Primary CVSS: v3.1 8.1 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

EPSS: 0.000100000 probability, percentile 0.012390000 (date 2026-05-10)

Version	Source	Type	Score	Severity	Vector
3.1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	Secondary	8.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H`
3.1	CNA	DECLARED	8.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H`

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 438e77435aee2894d5edf90be5c87004a57f6258 git	Not specified
CNA	Linux	Linux	affected 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 52327268224fb9ccc7ecfbbdfdfff54b6e93c518 git	Not specified
CNA	Linux	Linux	affected 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 92e64f1852f455f57d0850989e57c30d7fac7d95 git	Not specified
CNA	Linux	Linux	affected 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 aea5e37388a080361110ab5790f57ae0af383650 git	Not specified
CNA	Linux	Linux	affected 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 d78840a6a38d312dc1a51a65317bb67e46f0b929 git	Not specified
CNA	Linux	Linux	affected 4.11	Not specified
CNA	Linux	Linux	unaffected 4.11 semver	Not specified
CNA	Linux	Linux	unaffected 6.6.130 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.78 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.19 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.9 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

Reference	Source	Link	Tags
git.kernel.org/stable/c/aea5e37388a080361110ab5790f57ae0af383650	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/52327268224fb9ccc7ecfbbdfdfff54b6e93c518	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/438e77435aee2894d5edf90be5c87004a57f6258	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/92e64f1852f455f57d0850989e57c30d7fac7d95	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/d78840a6a38d312dc1a51a65317bb67e46f0b929	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.