Description
In the Linux kernel, the following vulnerability has been resolved:

smb: client: use kzalloc to zero-initialize security descriptor buffer

Commit 62e7dd0a39c2d ("smb: common: change the data type of num_aces
to le16") split struct smb_acl's __le32 num_aces field into __le16
num_aces and __le16 reserved. The reserved field corresponds to Sbz2
in the MS-DTYP ACL wire format, which must be zero [1].

When building an ACL descriptor in build_sec_desc(), we are using a
kmalloc()'ed descriptor buffer and writing the fields explicitly using
le16() writes now. This never writes to the 2 byte reserved field,
leaving it as uninitialized heap data.

When the reserved field happens to contain non-zero slab garbage,
Samba rejects the security descriptor with "ndr_pull_security_descriptor
failed: Range Error", causing chmod to fail with EINVAL.

Change kmalloc() to kzalloc() to ensure the entire buffer is
zero-initialized.


[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428
Published: 2026-05-28
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel SMB client allocates a security descriptor buffer with kmalloc, leaving a 2‑byte reserved field uninitialized. When that field contains slab garbage, Samba rejects the descriptor and the subsequent chmod operation fails with EINVAL, preventing permission modifications. This flaw does not grant privilege escalation or data exposure but can disrupt ACL updates, effectively causing a denial of service. The weakness arises from failure to enforce protocol requirements (CWE-909).

Affected Systems

All Linux kernel releases prior to the commit 62e7dd0a39c2, which changes the allocation to kzalloc, are vulnerable. The issue affects any machine running a kernel with SMB client support that connects to a Samba server performing ACL changes, regardless of user privileges.

Risk and Exploitability

The flaw is local to the SMB client stack and requires the attacker to initiate ACL changes via SMB. The CVSS score of 7.0 indicates medium severity. The EPSS score is listed as < 1%, reflecting a very low likelihood of exploitation. The vulnerability is not present in the CISA KEV catalog, further suggesting it is unlikely to be actively exploited. Consequently, the risk is limited to disruption of permission changes rather than broader system compromise.

Generated by OpenCVE AI on May 29, 2026 at 04:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version containing commit 62e7dd0a39c2, which replaces kmalloc with kzalloc and zero‑initializes the buffer
  • If a kernel upgrade is not immediately possible, restrict use of SMB utilities to trusted users and monitor for chmod failure events
  • Apply the kernel patch manually by recompiling the kernel with the updated allocation logic

Generated by OpenCVE AI on May 29, 2026 at 04:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-788

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-909
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-788

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb: client: use kzalloc to zero-initialize security descriptor buffer Commit 62e7dd0a39c2d ("smb: common: change the data type of num_aces to le16") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1]. When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data. When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with "ndr_pull_security_descriptor failed: Range Error", causing chmod to fail with EINVAL. Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized. [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428
Title smb: client: use kzalloc to zero-initialize security descriptor buffer
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:57:22.559Z

Reserved: 2026-05-13T15:03:33.100Z

Link: CVE-2026-46139

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:29.470

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46139

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46139 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T04:45:36Z

Weaknesses
  • CWE-909

    Missing Initialization of Resource