External risk intelligence

Linux kernel flaw lets attackers gain control of systems

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-43185

An external attacker can send malicious requests to the Linux file sharing service, potentially causing system crashes or granting them full control over the server. This poses a significant risk by enabling unauthorized access to the operating system and disrupting critical business operations.

2Halo Surface Signal

Buffer Overflow

Linux Kernel

5.15 to before 6.18.166.19 to before 6.19.67.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-43185

The vulnerability affects the ksmbd kernel-mode file-sharing service. The SMB protocol is designed for local or private network communication. While accessible over a network, direct exposure of SMB services to the public internet is a poor security practice and uncommon in standard deployments, typically occurring only behind firewalls or VPNs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A flaw in the Linux kernel's SMB server could allow an attacker to cause a heap buffer overflow. This means that an attacker could potentially overwrite memory, which can lead to system instability or allow them to execute their own code. This is a significant concern as it could impact the confidentiality, integrity, and availability of systems running the affected Linux kernel.

  • Attackers can exploit this remotely.
  • It impacts the core functionality of the Linux kernel.
  • This could lead to unauthorized code execution.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending specially crafted SMB messages to a vulnerable Linux kernel system. The attacker would leverage a signedness bug in `smb_direct_prepare_negotiation()` to manipulate the maximum receive size. This manipulation sets the stage for a subsequent message to trigger a heap buffer overflow, allowing the attacker to potentially execute arbitrary code.

  • Requires network access.
  • Targets ksmbd service.
  • Malicious `preferred_send_size` value.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in the Linux kernel's SMB module allows for a heap buffer overflow. While the vulnerability itself is severe, the ksmbd service is not typically exposed directly to the public internet, making widespread exploitation less probable. Attackers generally prefer vulnerabilities that are easier to reach and exploit in broader attack surfaces.

  • SMB service not usually internet-facing.
  • Exploitation requires specific network conditions.
  • No immediate public exploit is apparent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching systems running the affected Linux kernel versions, specifically those with the ksmbd service enabled, as a heap buffer overflow vulnerability could lead to remote code execution. If immediate patching isn't feasible, consider disabling the ksmbd service or implementing network access controls to restrict access to it.

  • Patch to kernel version 6.18.16 or newer.
  • Disable ksmbd service if unpatched.
  • Monitor for suspicious SMB traffic.

Frequently asked questions

What is the Linux kernel's ksmbd service?

The Linux kernel's ksmbd is a file-sharing service that implements the Server Message Block (SMB) protocol. It allows systems to share files and printers over a network, commonly used for communication between Windows and Linux machines.

How does CVE-2026-43185 allow for a heap buffer overflow?

CVE-2026-43185 is a signedness bug in the `smb_direct_prepare_negotiation()` function. A specially crafted `preferred_send_size` value can be misinterpreted by the function, leading to an incorrect maximum receive size. A subsequent large message then triggers a heap buffer overflow.

What are the conditions needed to exploit CVE-2026-43185?

Exploitation requires an attacker to send specially crafted SMB messages to a vulnerable Linux kernel system. The vulnerability is triggered by a specific manipulation of the `preferred_send_size` parameter within the `smb_direct_prepare_negotiation()` function.

Who should be concerned about this Linux kernel vulnerability?

Organizations running affected Linux kernel versions with the ksmbd service enabled should be concerned. While the Halo Surface Signal indicates this vulnerability is unlikely to be exposed to the public internet, internal systems could still be at risk.

What is the first step to address CVE-2026-43185?

The primary step is to patch systems running affected Linux kernel versions to a fixed version, such as 6.18.16 or newer. If patching is not immediately possible, disabling the ksmbd service can mitigate the risk.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified