CVE-2023-4130 in Linux
Summary
by MITRE • 08/16/2025
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix wrong next length validation of ea buffer in smb2_set_ea()
There are multiple smb2_ea_info buffers in FILE_FULL_EA_INFORMATION request from client. ksmbd find next smb2_ea_info using ->NextEntryOffset of current smb2_ea_info. ksmbd need to validate buffer length Before accessing the next ea. ksmbd should check buffer length using buf_len, not next variable. next is the start offset of current ea that got from previous ea.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/30/2026
The vulnerability identified as CVE-2023-4130 affects the Linux kernel's ksmbd implementation, which provides SMB/CIFS file sharing capabilities for Linux systems. This flaw exists within the smb2_set_ea() function responsible for handling extended attributes in SMB2 file operations. The issue stems from improper validation of buffer boundaries when processing FILE_FULL_EA_INFORMATION requests containing multiple smb2_ea_info structures. The ksmbd subsystem processes these extended attribute buffers sequentially by using the NextEntryOffset field from each current smb2_ea_info structure to locate subsequent entries. However, the validation logic incorrectly utilizes the next variable for buffer length checks instead of the actual buffer length parameter buf_len, creating a potential for improper memory access patterns.
The technical flaw manifests when ksmbd attempts to traverse through multiple extended attribute entries within a single request. The vulnerability occurs because the validation mechanism fails to properly verify whether sufficient buffer space exists before accessing the next extended attribute entry. This incorrect buffer validation approach means that an attacker could potentially craft malicious SMB2 requests with malformed NextEntryOffset values that would bypass the boundary checks. The next variable represents the offset of the current entry from the beginning of the buffer and does not indicate the available buffer length, leading to a scenario where the system might attempt to read beyond the allocated buffer boundaries. This type of error falls under the CWE-129 vulnerability category, which specifically addresses improper validation of buffer boundaries, and aligns with ATT&CK technique T1210 for exploitation of remote services through buffer overflows.
The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling attackers to execute arbitrary code on affected systems or cause denial of service conditions. When an attacker successfully exploits this flaw, they can manipulate the buffer traversal logic to access memory locations that should remain protected, potentially leading to privilege escalation or system compromise. Systems running ksmbd with SMB/CIFS services enabled are particularly vulnerable, especially those serving as file servers or network shares within enterprise environments. The vulnerability is especially concerning because it affects the core SMB2 extended attribute handling functionality, which is frequently used in enterprise file sharing scenarios. Network-based attacks can be executed without requiring authentication, making the attack surface broader and the potential impact more severe.
Mitigation strategies for CVE-2023-4130 should prioritize applying the official kernel patches that correct the buffer validation logic in the ksmbd subsystem. Administrators should immediately update their Linux kernels to versions containing the fix, as the vulnerability exists in the core kernel networking stack. Network segmentation and access controls should be implemented to limit exposure of SMB services to trusted networks only, reducing the attack surface. Monitoring systems should be configured to detect unusual SMB2 extended attribute requests that might indicate exploitation attempts. Additional defensive measures include implementing firewall rules that restrict SMB port access and enabling kernel hardening features such as stack canaries and address space layout randomization. Security teams should also conduct vulnerability assessments to identify systems running affected versions of ksmbd and ensure proper patch management procedures are in place to prevent similar issues from arising in the future. The fix specifically addresses the incorrect use of buffer validation parameters and ensures that all buffer access operations properly validate against the actual buffer length rather than relative offsets.