CVE Catalog

CVE-2026-46195

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.68%

48th percentile — higher than 48% of all known CVEs

Summary

In the Linux kernel's CIFS/SMB subsystem, a vulnerability was found due to missing validation of the DACL offset (dacloffset) before building DACL pointers. A malicious server can supply a dacloffset near U32_MAX, causing pointer wrapping on 32-bit systems and bypassing bounds checks, leading to potential out-of-bounds memory access.

Risk Assessment

A malicious SMB server could exploit this vulnerability for remote code execution or privilege escalation on the client system, especially on 32-bit platforms. This could lead to full system compromise or sensitive data leakage.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit that validates dacloffset before building DACL pointers). The update is critical for 32-bit systems.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS