CVE-2026-46195

CRITICAL

smb: client: validate dacloffset before building DACL pointers

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.0050
EPSS Percentile 38.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-476
Status published
Products (15)
Linux/Linux < 5.12
Linux/Linux 5.12
Linux/Linux 6.12.88 - 6.12.*
Linux/Linux 6.18.30 - 6.18.*
Linux/Linux 6.6.140 - 6.6.*
Linux/Linux 7.0.7 - 7.0.*
Linux/Linux 7.1
Linux/Linux 7.1-rc3
Linux/Linux bc3e9dd9d104ca1b75644eab87b38ce8a924aef4 - 3b1ddba19e77ee35241cd27f16dc3e8d14e08db7
Linux/Linux bc3e9dd9d104ca1b75644eab87b38ce8a924aef4 - 8bd07e417b6bda67e317920584e48cb6ee442a8a
... and 5 more
Published May 28, 2026
Tracked Since May 28, 2026