CVE-2026-46185 - Vulnerability Details

- smb/client: fix out-of-bounds read in symlink_data()

Description

In the Linux kernel, the following vulnerability has been resolved:

smb/client: fix out-of-bounds read in symlink_data()

Since smb2_check_message() returns success without length validation for
the symlink error response, in symlink_data() it is possible for
iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer
only contains the base SMB2 header (64 bytes), accessing
err->ErrorContextCount (at offset 66) or err->ByteCount later in
symlink_data() will cause an out-of-bounds read.

Published: 2026-05-28

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s SMB client contains an unvalidated length check for a symlink error response. A malicious SMB server can reply with only the base SMB2 header, causing the client to read beyond the supplied data when accessing fields such as ErrorContextCount or ByteCount. This out-of-bounds read (CWE-125) can expose adjacent memory contents and potentially leak sensitive data or enable further exploitation.

Affected Systems

All Linux kernel installations that include the buggy SMB client code are vulnerable until the fix is deployed. No specific version range is provided; any kernel prior to the patch commit that still contains the original code is considered affected.

Risk and Exploitability

The flaw carries a CVSS score of 9.1, indicating high severity, and an EPSS score of less than 1%, suggesting a low likelihood of exploitation. It is not listed in the CISA KEV catalog. The primary attack vector requires a remote SMB server capable of sending a crafted symlink error response. While no public exploits are currently documented, the read beyond the boundary delivers a moderate‑to‑high risk pending the development of exploitation code.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`76894f3e2f71177747b8b4763fb180e800279585`	affected	< 2be11faf79e49fb8250a181ff0b4d2b2f084af83
`76894f3e2f71177747b8b4763fb180e800279585`	affected	< ef6495d4df6e7af8f3de67e65150881c880f696c
`76894f3e2f71177747b8b4763fb180e800279585`	affected	< 15dc0a4de743a1aaa7b859b3aea79f08c695396c
`76894f3e2f71177747b8b4763fb180e800279585`	affected	< b8c8a704f0bc133deb171f6aeb6f3a684203e212
`76894f3e2f71177747b8b4763fb180e800279585`	affected	< b9561402489d41149f63e001a74384863b7b30a6
`76894f3e2f71177747b8b4763fb180e800279585`	affected	< d62b8d236fab503c6fec1d3e9a38bea71feaca20
`2d046892a493d9760c35fdaefc3017f27f91b621`	affected	—
`6.0.16`	affected	< 6.1

Linux

affected

Version	Status	Constraints
`6.1`	affected	—
`0`	unaffected	< 6.1
`6.1.175`	unaffected	≤ 6.1.*
`6.6.140`	unaffected	≤ 6.6.*
`6.12.88`	unaffected	≤ 6.12.*
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.1:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.1:rc2::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[76894f3e2f71177747b8b4763fb180e800279585,ef6495d4df6e7af8f3de67e65150881c880f696c)`	affected	code_commit	—
`[76894f3e2f71177747b8b4763fb180e800279585,15dc0a4de743a1aaa7b859b3aea79f08c695396c)`	affected	code_commit	—
`[76894f3e2f71177747b8b4763fb180e800279585,b8c8a704f0bc133deb171f6aeb6f3a684203e212)`	affected	code_commit	—
`[76894f3e2f71177747b8b4763fb180e800279585,b9561402489d41149f63e001a74384863b7b30a6)`	affected	code_commit	—
`[76894f3e2f71177747b8b4763fb180e800279585,d62b8d236fab503c6fec1d3e9a38bea71feaca20)`	affected	code_commit	—
`2d046892a493d9760c35fdaefc3017f27f91b621`	affected	code_commit	—
`[6.0.16,6.1)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.1`	affected	generic	—
`[0,6.1)`	unaffected	generic	—
`[6.6.140,6.6.*]`	unaffected	generic	—
`[6.12.88,6.12.*]`	unaffected	generic	—
`[6.18.30,6.18.*]`	unaffected	generic	—
`[7.0.7,7.0.*]`	unaffected	generic	—
`[7.1-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the system to a Linux kernel version that includes the smb/client symlink overread fix referenced in the commit series linked in the references.
Reboot or restart the system after applying the kernel update to ensure the new kernel is active.
If an upgrade cannot be performed in a timely manner, isolate the host by blocking SMB traffic from untrusted networks or disabling SMB2 client support via kernel configuration or sysctl settings.

Generated by OpenCVE AI on May 30, 2026 at 12:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0052.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/15dc0a4de743a1aaa7b859b3aea79f08c695396c
https://git.kernel.org/stable/c/2be11faf79e49fb8250a181ff0b4d2b2f084af83
https://git.kernel.org/stable/c/b8c8a704f0bc133deb171f6aeb6f3a684203e212
https://git.kernel.org/stable/c/b9561402489d41149f63e001a74384863b7b30a6
https://git.kernel.org/stable/c/d62b8d236fab503c6fec1d3e9a38bea71feaca20
https://git.kernel.org/stable/c/ef6495d4df6e7af8f3de67e65150881c880f696c
https://lore.kernel.org/linux-cve-announce/2026052830-CVE-2026-46185-42df@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46185
https://www.cve.org/CVERecord?id=CVE-2026-46185

History

Thu, 11 Jun 2026 03:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:o:linux:linux_kernel:7.1:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.1:rc2::::::

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/2be11faf79e49fb8250a181ff0b4d2b2f084af83

Sat, 30 May 2026 11:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}`

Fri, 29 May 2026 03:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-119 CWE-20

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125
References		https://lore.kernel.org/linux-cve-announce/2026052830-CVE-2026-46185-42df@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46185 https://www.cve.org/CVERecord?id=CVE-2026-46185
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Thu, 28 May 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-20

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.
Title		smb/client: fix out-of-bounds read in symlink_data()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/15dc0a4de743a1aaa7b859b3aea79f08c695396c https://git.kernel.org/stable/c/b8c8a704f0bc133deb171f6aeb6f3a684203e212 https://git.kernel.org/stable/c/b9561402489d41149f63e001a74384863b7b30a6 https://git.kernel.org/stable/c/d62b8d236fab503c6fec1d3e9a38bea71feaca20 https://git.kernel.org/stable/c/ef6495d4df6e7af8f3de67e65150881c880f696c

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:36:39.318Z

Updated: 2026-06-14T18:01:04.745Z

Reserved: 2026-05-13T15:03:33.103Z

Link: CVE-2026-46185

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-28T10:16:34.117

Modified: 2026-06-11T03:02:31.867

Link: CVE-2026-46185

Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46185 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-30T13:00:12Z

Weaknesses

CWE-125
Out-of-bounds Read

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object