Description
In the Linux kernel, the following vulnerability has been resolved:

smb/client: fix possible infinite loop and oob read in symlink_data()

On 32-bit architectures, the infinite loop is as follows:

len = p->ErrorDataLength == 0xfffffff8
u8 *next = p->ErrorContextData + len
next == p

On 32-bit architectures, the out-of-bounds read is as follows:

len = p->ErrorDataLength == 0xfffffff0
u8 *next = p->ErrorContextData + len
next == (u8 *)p - 8
Published: 2026-06-24
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Linux kernel SMB client can cause an infinite loop or an out‑of‑bounds read when processing a specially crafted SMB packet. The infinite loop occurs when the packet’s error data length field is set to a particular value on 32‑bit systems, causing the code to traverse an invalid pointer repeatedly. The out‑of‑bounds read arises when a different sentinel value is used, allowing the kernel to read memory beyond the intended buffer, potentially revealing sensitive data. The impact is two‑fold: the infinite loop stalls the SMB client thread, which can be used to deny service to applications that depend on SMB, while the out‑of‑bounds read could disclose kernel memory contents to an attacker. The likely attack vector is a remote SMB server that sends the crafted packet, so an adversary needs network access to the target’s SMB endpoint.

Affected Systems

The vulnerability is present in the Linux kernel itself, regardless of distribution. Any host that runs an affected kernel version and uses the SMB client glue – for example, if it performs SMB lookups or mounts over the network – is potentially exposed. The fix was applied in the mainline source tree and propagated to mainstream releases, so updating the kernel to a version that contains the commit will eliminate the issue.

Risk and Exploitability

The vulnerability is not listed in the CISA KEV catalog and has an EPSS score of less than 1 %, indicating a low probability of exploitation. The CVSS score of 8.1 indicates high severity, combining the potential denial of service from the infinite loop and the information disclosure from the out‑of‑bounds read. Exploitation requires an attacker to be able to send a malicious SMB response to the target, so network connectivity to the SMB port is a prerequisite.

Generated by OpenCVE AI on June 28, 2026 at 13:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to the latest version that incorporates the commit fixing the SMB client bug.
  • If a kernel upgrade cannot be performed immediately, limit SMB client usage by band‑blocking or firewall rules so that untrusted clients cannot reach services that invoke the SMB client glue.
  • If the kernel source is available, apply the patch manually by cherry‑picking the relevant commit from the official Git tree and rebuilding the kernel.

Generated by OpenCVE AI on June 28, 2026 at 13:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H'}


Fri, 26 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-932

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-932

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb/client: fix possible infinite loop and oob read in symlink_data() On 32-bit architectures, the infinite loop is as follows: len = p->ErrorDataLength == 0xfffffff8 u8 *next = p->ErrorContextData + len next == p On 32-bit architectures, the out-of-bounds read is as follows: len = p->ErrorDataLength == 0xfffffff0 u8 *next = p->ErrorContextData + len next == (u8 *)p - 8
Title smb/client: fix possible infinite loop and oob read in symlink_data()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:37:24.053Z

Reserved: 2026-06-09T07:44:35.374Z

Link: CVE-2026-52967

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52967 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:45:06Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound