CVE-2026-46139
Awaiting Analysis Awaiting Analysis - Queue
Heap Memory Corruption in Linux Kernel SMB Client

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: use kzalloc to zero-initialize security descriptor buffer Commit 62e7dd0a39c2d ("smb: common: change the data type of num_aces to le16") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1]. When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data. When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with "ndr_pull_security_descriptor failed: Range Error", causing chmod to fail with EINVAL. Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized. [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46139
EUVD
EUVD-2026-32766
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
samba samba *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability relates to the Linux kernel's SMB client implementation where an uninitialized reserved field in the security descriptor buffer can cause Samba to reject the security descriptor with an error.

Detection would involve monitoring for error messages such as "ndr_pull_security_descriptor failed: Range Error" or failures of chmod operations returning EINVAL when interacting with SMB shares.

There are no specific commands provided in the available information to detect this vulnerability directly.

Executive Summary

This vulnerability exists in the Linux kernel's SMB client code where a security descriptor buffer was allocated using kmalloc(), which does not zero-initialize memory. Specifically, a reserved 2-byte field in the ACL descriptor buffer was left uninitialized, potentially containing random heap data.

Because this reserved field must be zero according to the MS-DTYP ACL wire format, having non-zero garbage data causes Samba to reject the security descriptor with an error, leading to failures such as chmod returning EINVAL.

The fix was to replace kmalloc() with kzalloc(), which zero-initializes the buffer, ensuring the reserved field is always zero and preventing the error.

Impact Analysis

This vulnerability can cause Samba operations that rely on security descriptors, such as chmod, to fail unexpectedly with errors like EINVAL.

Such failures may disrupt file permission changes and related SMB client functionality, potentially impacting system administration and file sharing operations.

Mitigation Strategies

The vulnerability is caused by the use of kmalloc() which does not zero-initialize the security descriptor buffer, leading to uninitialized heap data in the reserved field.

To mitigate this vulnerability, the immediate step is to ensure that the buffer is zero-initialized by using kzalloc() instead of kmalloc() when allocating the security descriptor buffer.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46139. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart