Skip to main content

Linux Kernel CVE-2026-46195

| EUVDEUVD-2026-32822 CRITICAL
NULL Pointer Dereference (CWE-476)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-rp7m-xq2f-r4cg
9.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 12:03 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
9.8 (CRITICAL)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

smb: client: validate dacloffset before building DACL pointers

parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.

On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.

Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.

AnalysisAI

Memory corruption in the Linux kernel SMB client (cifs) allows a malicious SMB server to trigger out-of-bounds reads and potential dereferences in the DACL parsing path on 32-bit builds. The flaw resides in parse_sec_desc(), build_sec_desc(), and id_mode_to_cifs_acl(), where a server-supplied dacloffset value near U32_MAX can wrap around and bypass pointer-based bounds checks during chmod/chown operations against SMB shares. EPSS is very low at 0.02% and there is no public exploit identified at time of analysis, but the issue is a confirmed kernel bug with upstream fixes already merged.

Technical ContextAI

The vulnerability lives in the kernel's cifs/smb client (fs/smb/client), which implements the SMB/CIFS protocol for mounting remote Windows-style shares. When a server returns a Windows security descriptor, the client parses it to derive POSIX-style permissions, using the dacloffset field to locate the Discretionary Access Control List inside the descriptor. Because the offset was added to the pntsd base pointer before being validated numerically, on 32-bit platforms an attacker-controlled offset close to U32_MAX causes integer wraparound, producing a pointer that sits below end_of_acl and slips past subsequent pointer-comparison bounds checks. This is an integer-overflow-leading-to-out-of-bounds-access bug class (CWE-190 / CWE-125 family), even though the CVE record lists CWE as N/A. The fix adds a numeric validation of dacloffset before any DACL pointer arithmetic and centralizes the check in a shared helper used by all three DACL entry points.

RemediationAI

Vendor-released patch: upgrade to Linux kernel 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3 (or newer) from your distribution, pulling stable commits 3b1ddba19e77, 8bd07e417b6b, ba7f71b6161c, c688f3ed73d3, or f98b48151cc5 via https://git.kernel.org/stable/c/3b1ddba19e77ee35241cd27f16dc3e8d14e08db7 and the related stable-tree references. Where immediate patching of 32-bit kernels is not possible, the most targeted compensating control is to avoid mounting SMB/CIFS shares from untrusted servers - restrict cifs.ko usage to known internal file servers, block outbound SMB (TCP/445, TCP/139) at the host or network egress to prevent connections to attacker-controlled endpoints, and consider unloading the cifs module on hosts that do not require SMB client functionality (side effect: any in-use shares will disconnect). On 64-bit kernels the wraparound condition described does not apply, so patch urgency is lower but the fix should still be taken in the normal stable cadence.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46195 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy