In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix signededness bug in smbdirectprepare_negotiation()
smbdirectprepare_negotiation() casts an unsigned _u32 value from sp->maxrecvsize and req->preferredsendsize to a signed int before computing mint(int, ...). A maliciously provided preferredsendsize of 0x80000000 will return as smaller than maxrecvsize, and then be used to set the maximum allowed alowed receive size for the next message.
By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow.
This fix replaces mint(int, ...) with mint(u32)
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43185.json",
"cna_assigner": "Linux"
}