CVE-2026-46155
Analyzed Analyzed - Analysis Complete
Out-of-Bounds Read in Linux Kernel SMB Client

Publication date: 2026-05-28

Last updated on: 2026-06-09

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-09
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46155
EUVD
EUVD-2026-32782
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.30 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.7 (exc)
linux linux_kernel From 6.6.32 (inc) to 6.6.140 (exc)
linux linux_kernel From 6.9 (inc) to 6.12.88 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's SMB client implementation, specifically in the smb2_compound_op() function. When a server sends a truncated response but indicates a large OutputBufferLength and ends the EA list early, the function check_wsl_eas() incorrectly returns success without verifying that the entire OutputBufferLength fits within the allocated buffer length (iov_len).

As a result, smb2_compound_op() performs a memcpy operation using OutputBufferLength as the size, which can cause it to read beyond the allocated buffer. This out-of-bounds read can lead to leaking adjacent kernel heap memory.

Impact Analysis

This vulnerability can lead to the leakage of sensitive kernel heap memory due to an out-of-bounds read. An attacker controlling the server response could exploit this to access unintended memory areas, potentially exposing sensitive information stored in kernel memory.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46155. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart