Description
In the Linux kernel, the following vulnerability has been resolved:

smb: client: validate dacloffset before building DACL pointers

parse_sec_desc(), build_sec_desc(), and the chown path in
id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd
before proving a DACL header fits inside the returned security
descriptor.

On 32-bit builds a malicious server can return dacloffset near
U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip
past the later pointer-based bounds checks. build_sec_desc() and
id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped
pointer in the chmod/chown rewrite paths.

Validate dacloffset numerically before building any DACL pointer and
reuse the same helper at the three DACL entry points.
Published: 2026-05-28
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow is introduced in the SMB client code when constructing DACL pointers from a server‑supplied dacloffset value. Because the offset is not validated, a 32‑bit client can receive a value just below the maximum of an unsigned 32‑bit integer, causing the calculated pointer to wrap below the end of the security descriptor. Subsequent bounds checks are bypassed, allowing the client to dereference memory that is not part of the descriptor. The effect is a kernel memory corruption that can crash the system or potentially lead to execution of arbitrary code. This flaw is a classic case of buffer overflow leading to out‑of‑bounds access (CWE‑787).

Affected Systems

All 32‑bit builds of the Linux kernel that use the SMB client to communicate with servers are affected. The flaw occurs during permission changes via chmod or chown operations processed by the SMB client. No specific kernel release numbers are listed; therefore any 32‑bit kernel version that has not yet integrated the patch from the referenced commit is potentially vulnerable.

Risk and Exploitability

Although the CVSS score is 9.8 and the EPSS entry is < 1%, the flaw can be triggered by an unauthenticated remote SMB server; the server simply needs to transmit a large dacloffset field in a security descriptor. The vulnerability was addressed in kernel patches linked in the advisory, but no KEV listing indicates that it has been widely exploited in the wild yet. Nevertheless, a local or privileged process could experience a denial‑of‑service or memory corruption if the SMB client is used to contact an untrusted server. Immediate patching or restriction of SMB traffic is advised to mitigate the risk.

Generated by OpenCVE AI on June 10, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that validates dacloffset by upgrading to a kernel version that includes the change.
  • If upgrade is unavailable, isolate the machine from untrusted SMB servers by disabling the SMB client module or blocking outbound SMB traffic with firewall rules.
  • Configure auditing to log SMB client operations, enabling detection of anomalous permission‑change activity.

Generated by OpenCVE AI on June 10, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 29 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-680

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Thu, 28 May 2026 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-680

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.
Title smb: client: validate dacloffset before building DACL pointers
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:01:48.626Z

Reserved: 2026-05-13T15:03:33.104Z

Link: CVE-2026-46195

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:35.147

Modified: 2026-06-10T19:18:32.367

Link: CVE-2026-46195

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46195 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T20:30:28Z

Weaknesses