Description
In the Linux kernel, the following vulnerability has been resolved:

smb/client: fix out-of-bounds read in symlink_data()

Since smb2_check_message() returns success without length validation for
the symlink error response, in symlink_data() it is possible for
iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer
only contains the base SMB2 header (64 bytes), accessing
err->ErrorContextCount (at offset 66) or err->ByteCount later in
symlink_data() will cause an out-of-bounds read.
Published: 2026-05-28
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s SMB client fails to validate the length of a buffer when handling a symlink error response. If a malicious SMB server returns only the minimal SMB2 header, the client reads beyond the supplied data, exposing adjacent memory contents. This out‑of‑bounds read (CWE‑119) is caused by improper input validation (CWE‑20) and can allow an attacker to read arbitrary memory, potentially leaking sensitive information or facilitating further compromise.

Affected Systems

All Linux kernel instances that include the buggy SMB client code are affected until the fix is applied. The vulnerability resides in the SMB2 protocol handling in the kernel; no specific version range is supplied, so any kernel prior to the latest stable release that lacks the patch is vulnerable.

Risk and Exploitability

No CVSS or EPSS score is provided, and the flaw is not listed in the CISA KEV catalog, so the precise exploitation probability is unknown. The flaw requires a remote SMB server capable of sending a crafted symlink error response; thus, the attack vector is remote over SMB. While no documented exploits exist at this time, the ability to read memory beyond the boundary places the risk in a moderate‑to‑high category pending the availability of exploitation code.

Generated by OpenCVE AI on May 28, 2026 at 12:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel version that includes the SMB2 symlink overread fix (see commit 15dc0a4de743a1aaa7b859b3aea79f08c695396c and related patches).
  • After updating, restart any services that rely on SMB or reboot the system to ensure the new kernel is active.
  • If an immediate kernel upgrade is not possible, restrict SMB traffic from untrusted hosts using firewall rules or disable SMB2 client support if it is not required.

Generated by OpenCVE AI on May 28, 2026 at 12:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.
Title smb/client: fix out-of-bounds read in symlink_data()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-28T09:36:39.318Z

Reserved: 2026-05-13T15:03:33.103Z

Link: CVE-2026-46185

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-28T10:16:34.117

Modified: 2026-05-28T10:16:34.117

Link: CVE-2026-46185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T12:15:21Z

Weaknesses