CVE-2026-46195
Awaiting Analysis Awaiting Analysis - Queue
Buffer Overflow in Linux Kernel SMB Client

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-46195
EUVD
EUVD-2026-32822
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's SMB client code where the server-supplied 'dacloffset' value is not properly validated before being used to build pointers to Discretionary Access Control List (DACL) entries.

Specifically, functions like parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() add the 'dacloffset' to a pointer before checking if the resulting DACL header fits inside the security descriptor.

On 32-bit systems, a malicious server can supply a 'dacloffset' value near the maximum 32-bit unsigned integer (U32_MAX), causing pointer arithmetic to wrap around and bypass bounds checks. This allows the kernel to dereference invalid or maliciously crafted DACL fields during chmod or chown operations.

The fix involves validating the 'dacloffset' numerically before building any DACL pointer and reusing this validation helper in all three affected code paths.


How can this vulnerability impact me? :

This vulnerability can allow a malicious SMB server to cause the Linux kernel to dereference invalid memory pointers during permission-related operations like chmod or chown.

On affected 32-bit systems, this could lead to kernel memory corruption, potentially causing system crashes, denial of service, or even privilege escalation if exploited successfully.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by validating the dacloffset numerically before building any DACL pointer and reusing the same helper at the three DACL entry points in the Linux kernel SMB client code.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart