CVE-2026-46195
Analyzed Analyzed - Analysis Complete
Buffer Overflow in Linux Kernel SMB Client

Publication date: 2026-05-28

Last updated on: 2026-06-10

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-10
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46195
EUVD
EUVD-2026-32822
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.30 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.7 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.88 (exc)
linux linux_kernel From 5.12 (inc) to 6.6.140 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's SMB client code where the server-supplied 'dacloffset' value is not properly validated before being used to build pointers to Discretionary Access Control List (DACL) entries.

Specifically, functions like parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() add the 'dacloffset' to a pointer before checking if the resulting DACL header fits inside the security descriptor.

On 32-bit systems, a malicious server can supply a 'dacloffset' value near the maximum 32-bit unsigned integer (U32_MAX), causing pointer arithmetic to wrap around and bypass bounds checks. This allows the kernel to dereference invalid or maliciously crafted DACL fields during chmod or chown operations.

The fix involves validating the 'dacloffset' numerically before building any DACL pointer and reusing this validation helper in all three affected code paths.

Impact Analysis

This vulnerability can allow a malicious SMB server to cause the Linux kernel to dereference invalid memory pointers during permission-related operations like chmod or chown.

On affected 32-bit systems, this could lead to kernel memory corruption, potentially causing system crashes, denial of service, or even privilege escalation if exploited successfully.

Mitigation Strategies

The vulnerability has been resolved by validating the dacloffset numerically before building any DACL pointer and reusing the same helper at the three DACL entry points in the Linux kernel SMB client code.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46195. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart