Impact
A flaw in the Linux kernel SMB client can cause an infinite loop or an out‑of‑bounds read when processing a specially crafted SMB packet. The infinite loop occurs when the packet’s error data length field is set to a particular value on 32‑bit systems, causing the code to traverse an invalid pointer repeatedly. The out‑of‑bounds read arises when a different sentinel value is used, allowing the kernel to read memory beyond the intended buffer, potentially revealing sensitive data. The impact is two‑fold: the infinite loop stalls the SMB client thread, which can be used to deny service to applications that depend on SMB, while the out‑of‑bounds read could disclose kernel memory contents to an attacker. The likely attack vector is a remote SMB server that sends the crafted packet, so an adversary needs network access to the target’s SMB endpoint.
Affected Systems
The vulnerability is present in the Linux kernel itself, regardless of distribution. Any host that runs an affected kernel version and uses the SMB client glue – for example, if it performs SMB lookups or mounts over the network – is potentially exposed. The fix was applied in the mainline source tree and propagated to mainstream releases, so updating the kernel to a version that contains the commit will eliminate the issue.
Risk and Exploitability
The vulnerability is not listed in the CISA KEV catalog and has an EPSS score of less than 1 %, indicating a low probability of exploitation. The CVSS score of 8.1 indicates high severity, combining the potential denial of service from the infinite loop and the information disclosure from the out‑of‑bounds read. Exploitation requires an attacker to be able to send a malicious SMB response to the target, so network connectivity to the SMB port is a prerequisite.
OpenCVE Enrichment
Debian DLA