In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix signededness bug in smb_direct_prepare_negotiation() smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message. By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow. This fix replaces min_t(int, ...) with min_t(u32)
The smb_direct_prepare_negotiation() function incorrectly casts unsigned values (__u32) — sp->max_recv_size and req->preferred_send_size — to a signed type (int) before calling min_t(int, ...). An attacker can send a preferred_send_size field with a value of 0x80000000, which when interpreted as a signed number is treated as negative, i.e., less than max_recv_size. This causes setting an overly small limit on the maximum size of received messages. Subsequently, by sending a second packet exceeding 1420 bytes, the attacker triggers a heap buffer overflow. The fix replaces min_t(int, ...) with min_t(u32, ...), eliminating the sign error.
An attacker can trigger a heap buffer overflow in the kernel context of the operating system, which potentially enables remote code execution (RCE), privilege escalation, or system destabilization.
Patches available from the vendor should be applied according to references — fixes have been published in stable Linux kernel branch repositories (commits: 55abc475d096, 6b4f875aac34, ceae058eb707). It is recommended to update the kernel to a version containing the mentioned patches. As a temporary workaround, consider disabling the ksmbd module if SMB Direct is not required in your environment.
Linux kernel with active ksmbd module (SMB Direct/RDMA protocol support); versions indicated in vendor references (commits in stable kernel branches)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLinux Kernel
OSLinux7.05.15 – 6.18.16 (bez)6.19 – 6.19.6 (bez)
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on t...
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-s...
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a...