Skip to main content

Linux Kernel CVE-2026-46185

| EUVDEUVD-2026-32812 CRITICAL
Out-of-bounds Read (CWE-125)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-89gf-r4q6-p3c9
Critical
Disputed · 9.1 Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.0 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 12:02 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
9.1 (CRITICAL)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
CRITICAL 9.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

smb/client: fix out-of-bounds read in symlink_data()

Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.

AnalysisAI

Out-of-bounds read in the Linux kernel's SMB client (smb/client) symlink handling allows a malicious or compromised SMB server to trigger memory disclosure or denial-of-service against Linux clients that mount SMB shares. The flaw resides in symlink_data() where smb2_check_message() does not validate response length before fields beyond the 64-byte SMB2 header are accessed. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, though upstream kernel fixes have already been merged across multiple stable branches.

Technical ContextAI

The vulnerability lives in the in-kernel SMB/CIFS client (fs/smb/client) that Linux uses to mount remote SMB2/SMB3 shares. When an SMB server returns a symlink error response, the client's smb2_check_message() validation routine accepts the message without confirming that iov->iov_len is at least sizeof(struct smb2_err_rsp). symlink_data() then dereferences err->ErrorContextCount at offset 66 and err->ByteCount on a buffer that may only contain the 64-byte base SMB2 header, producing an out-of-bounds read of kernel memory adjacent to the receive buffer. The tag set (Buffer Overflow, Linux) and the description map this to a classic CWE-125 (Out-of-bounds Read) caused by missing length validation in a network protocol parser; no formal CWE was assigned in the feed.

RemediationAI

Vendor-released patch: upgrade to Linux stable 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3 (or later in each series), referencing the upstream commits at https://git.kernel.org/stable/c/ef6495d4df6e7af8f3de67e65150881c880f696c, https://git.kernel.org/stable/c/15dc0a4de743a1aaa7b859b3aea79f08c695396c, https://git.kernel.org/stable/c/b9561402489d41149f63e001a74384863b7b30a6, https://git.kernel.org/stable/c/d62b8d236fab503c6fec1d3e9a38bea71feaca20, and https://git.kernel.org/stable/c/b8c8a704f0bc133deb171f6aeb6f3a684203e212; for distribution kernels, apply the vendor security update referenced from https://nvd.nist.gov/vuln/detail/CVE-2026-46185 as soon as it is published. As compensating controls until patching, unload the cifs kernel module on hosts that do not need SMB client functionality (modprobe -r cifs and blacklist it - trade-off: SMB mounts unavailable), restrict outbound TCP/445 and TCP/139 at the host or perimeter firewall to known-good file servers only (trade-off: breaks ad-hoc SMB access and may disrupt roaming users), and avoid mounting SMB shares from untrusted networks or unknown servers (trade-off: operational inconvenience for mobile clients). Disabling SMB2 symlink/reparse-point handling is not a supported runtime toggle, so module restriction or network filtering are the only practical pre-patch mitigations.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46185 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy