{"id":"CVE-2026-43112","summary":"fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath\n\nWhen cifs_sanitize_prepath is called with an empty string or a string\ncontaining only delimiters (e.g., \"/\"), the current logic attempts to\ncheck *(cursor2 - 1) before cursor2 has advanced. This results in an\nout-of-bounds read.\n\nThis patch adds an early exit check after stripping prepended\ndelimiters. If no path content remains, the function returns NULL.\n\nThe bug was identified via manual audit and verified using a\nstandalone test case compiled with AddressSanitizer, which\ntriggered a SEGV on affected inputs.","modified":"2026-07-10T03:54:33.579502319Z","published":"2026-05-06T07:40:38.563Z","related":["ALSA-2026:34911","ALSA-2026:36018","ALSA-2026:36365","ALSA-2026:36366","CGA-j296-h73w-6ccw","SUSE-SU-2026:22043-1","SUSE-SU-2026:22048-1","SUSE-SU-2026:22076-1","SUSE-SU-2026:22087-1","SUSE-SU-2026:22433-1","SUSE-SU-2026:22436-1","SUSE-SU-2026:22458-1","SUSE-SU-2026:22460-1","SUSE-SU-2026:2722-1","SUSE-SU-2026:2799-1","openSUSE-SU-2026:20912-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43112.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2d29214448ec0f4e7e18bb1c14dd4a6c07f1c439"},{"type":"WEB","url":"https://git.kernel.org/stable/c/49b1ce6d7cfb6c5a49f68bf5ccfcfb6ba14e63c3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5d4fe469fe7dbff7d874c196bb680a82f2625d95"},{"type":"WEB","url":"https://git.kernel.org/stable/c/78ec5bf2f589ec7fd8f169394bfeca541b077317"},{"type":"WEB","url":"https://git.kernel.org/stable/c/86f9c23e0814cfdffda9eedf0c591c51ba209010"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a2ba20c17de8eb028f96b1d85f119d3d25655bd9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fbced33599653471b4581dfe1abc7b467031f126"},{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43112.json"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:34911"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:36018"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:36365"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:36366"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-43112"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43112.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43112"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2467015"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c63433a09d6ae4c226fcbc66da4c58fc189fd746"},{"fixed":"a2ba20c17de8eb028f96b1d85f119d3d25655bd9"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a31080899d5fdafcccf7f39dd214a814a2c82626"},{"fixed":"fbced33599653471b4581dfe1abc7b467031f126"},{"fixed":"5d4fe469fe7dbff7d874c196bb680a82f2625d95"},{"fixed":"2d29214448ec0f4e7e18bb1c14dd4a6c07f1c439"},{"fixed":"86f9c23e0814cfdffda9eedf0c591c51ba209010"},{"fixed":"49b1ce6d7cfb6c5a49f68bf5ccfcfb6ba14e63c3"},{"fixed":"78ec5bf2f589ec7fd8f169394bfeca541b077317"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"5.15.11"},{"fixed":"5.15.209"}]}],"versions":["v5.15.208","v5.15.207","v5.15.206","v5.15.205","v5.15.204","v5.15.203","v5.15.202","v5.15.201","v5.15.200","v5.15.199","v5.15.198","v5.15.197","v5.15.196","v5.15.195","v5.15.194","v5.15.193","v5.15.192","v5.15.191","v5.15.190","v5.15.189","v5.15.188","v5.15.187","v5.15.186","v5.15.185","v5.15.184","v5.15.183","v5.15.182","v5.15.181","v5.15.180","v5.15.179","v5.15.178","v5.15.177","v5.15.176","v5.15.175","v5.15.174","v5.15.173","v5.15.172","v5.15.171","v5.15.170","v5.15.169","v5.15.168","v5.15.167","v5.15.166","v5.15.165","v5.15.164","v5.15.163","v5.15.162","v5.15.161","v5.15.160","v5.15.159","v5.15.158","v5.15.157","v5.15.156","v5.15.155","v5.15.154","v5.15.153","v5.15.152","v5.15.151","v5.15.150","v5.15.149","v5.15.148","v5.15.147","v5.15.146","v5.15.145","v5.15.144","v5.15.143","v5.15.142","v5.15.141","v5.15.140","v5.15.139","v5.15.138","v5.15.137","v5.15.136","v5.15.135","v5.15.134","v5.15.133","v5.15.132","v5.15.131","v5.15.130","v5.15.129","v5.15.128","v5.15.127","v5.15.126","v5.15.125","v5.15.124","v5.15.123","v5.15.122","v5.15.121","v5.15.120","v5.15.119","v5.15.118","v5.15.117","v5.15.116","v5.15.115","v5.15.114","v5.15.113","v5.15.112","v5.15.111","v5.15.110","v5.15.109","v5.15.108","v5.15.107","v5.15.106","v5.15.105","v5.15.104","v5.15.103","v5.15.102","v5.15.101","v5.15.100","v5.15.99","v5.15.98","v5.15.97","v5.15.96","v5.15.95","v5.15.94","v5.15.93","v5.15.92","v5.15.91","v5.15.90","v5.15.89","v5.15.88","v5.15.87","v5.15.86","v5.15.85","v5.15.84","v5.15.83","v5.15.82","v5.15.81","v5.15.80","v5.15.79","v5.15.78","v5.15.77","v5.15.76","v5.15.75","v5.15.74","v5.15.73","v5.15.72","v5.15.71","v5.15.70","v5.15.69","v5.15.68","v5.15.67","v5.15.66","v5.15.65","v5.15.64","v5.15.63","v5.15.62","v5.15.61","v5.15.60","v5.15.59","v5.15.58","v5.15.57","v5.15.56","v5.15.55","v5.15.54","v5.15.53","v5.15.52","v5.15.51","v5.15.50","v5.15.49","v5.15.48","v5.15.47","v5.15.46","v5.15.45","v5.15.44","v5.15.43","v5.15.42","v5.15.41","v5.15.40","v5.15.39","v5.15.38","v5.15.37","v5.15.36","v5.15.35","v5.15.34","v5.15.33","v5.15.32","v5.15.31","v5.15.30","v5.15.29","v5.15.28","v5.15.27","v5.15.26","v5.15.25","v5.15.24","v5.15.23","v5.15.22","v5.15.21","v5.15.20","v5.15.19","v5.15.18","v5.15.17","v5.15.16","v5.15.15","v5.15.14","v5.15.13","v5.15.12","v5.15.11"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43112.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"},{"fixed":"6.6.136"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.12.83"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.18.24"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.19.14"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43112.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}