Description
In the Linux kernel, the following vulnerability has been resolved:

smb/client: fix out-of-bounds read in smb2_compound_op()

If a server sends a truncated response but a large OutputBufferLength, and
terminates the EA list early, check_wsl_eas() returns success without
validating that the entire OutputBufferLength fits within iov_len.

Then smb2_compound_op() does:
memcpy(idata->wsl.eas, data[0], size[0]);

Where size[0] is OutputBufferLength. If iov_len is smaller than size[0],
memcpy can read beyond the end of the rsp_iov allocation and leak adjacent
kernel heap memory.
Published: 2026-05-28
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s SMB client contains a flaw where the function smb2_compound_op() copies data into an output buffer using a length supplied by the server. When a server sends a truncated response and sets a large OutputBufferLength while prematurely terminating the EA list, the helper check_wsl_eas() incorrectly reports success without confirming that the entire length fits within the allocated iov buffer. As a result, memcpy() may read beyond the end of the rsp_iov allocation, leaking adjacent kernel heap memory. This out‑of‑bounds read compromises the confidentiality of kernel data, potentially exposing sensitive information to an attacker.

Affected Systems

All Linux kernel builds that contain the vulnerable smb/client implementation are affected. No specific versions are listed in the CVE data, so any kernel that has not yet incorporated the patch commits (512d33b, 8d09328, 9b3af35, a16f70a, dffb44b) may be vulnerable. Users should confirm whether their running kernel includes these fixes.

Risk and Exploitability

The CVSS score is 9.1 and the EPSS score is below 1 %, indicating a modest but non‑negligible likelihood of exploitation. The vulnerability is not in CISA’s KEV catalog. The attack requires a malicious SMB server that can send a crafted truncated response; thus the likely vector is server‑initiated during normal SMB client communication. An attacker controlling the SMB server could use the memory disclosure to obtain kernel data that might aid further exploitation, although it does not provide immediate remote code execution.

Generated by OpenCVE AI on June 9, 2026 at 22:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the fixed commits (512d33b, 8d09328, 9b3af35, a16f70a, or dffb44b).
  • Use firewall or network policy rules to filter or block SMB client traffic from untrusted servers until the kernel patch is applied.
  • If the SMB client feature is not required, consider disabling it in the kernel configuration to eliminate the code path that is vulnerable.

Generated by OpenCVE AI on June 9, 2026 at 22:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Fri, 29 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-20

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-130
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Thu, 28 May 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-20

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.
Title smb/client: fix out-of-bounds read in smb2_compound_op()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:58:39.543Z

Reserved: 2026-05-13T15:03:33.102Z

Link: CVE-2026-46155

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:31.133

Modified: 2026-06-09T21:04:23.930

Link: CVE-2026-46155

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46155 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:00:15Z

Weaknesses
  • CWE-125

    Out-of-bounds Read

  • CWE-130

    Improper Handling of Length Parameter Inconsistency