The vulnerability resides in the SMB client component of the Linux kernel, where the function smb2_compound_op() copies data into a buffer based on an OutputBufferLength supplied by the server. When a server returns a truncated response and specifies a large OutputBufferLength while prematurely terminating the EA list, the helper check_wsl_eas() incorrectly declares success without ensuring the full length fits within the allocated iov buffer. Consequently, memcpy() may read past the end of the rsp_iov allocation, exposing adjacent kernel heap memory. This out-of-bounds read can leak sensitive kernel data, thereby compromising confidentiality.

The affected products are all Linux kernels that contain the vulnerable smb/client implementation. No specific version numbers are provided in the CVE data, so any kernel running a build that has not yet incorporated the patch found in the referenced Git commits (512d33b, 8d09328, 9b3af35, a16f70a, dffb44b) is potentially vulnerable. Users should verify whether their installed kernel includes these standard-release patches.

The CVSS score for this issue is not supplied, and the EPSS score is currently unavailable, but the vulnerability is hosted in the core kernel and is not listed in CISA’s KEV catalog. The exploitation requires a malicious SMB server that can deliver the specially crafted truncated response. Thus the primary attack vector is server-initiated during normal SMB client communication. An attacker must control or compromise the SMB server and the client must be a Linux system using the vulnerable kernel. Because the flaw results in a read of kernel heap data, an attacker with sufficient privilege on the SMB server may acquire information useful for further exploitation, though the attack does not directly enable remote code execution.