Skip to main content

Linux Kernel EUVDEUVD-2026-32782

| CVE-2026-46155 CRITICAL
Out-of-bounds Read (CWE-125)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-r5mc-mc43-5gch
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:58 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
9.1 (CRITICAL)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
CRITICAL 9.1
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

smb/client: fix out-of-bounds read in smb2_compound_op()

If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.

Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]);

Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.

AnalysisAI

Out-of-bounds heap read in the Linux kernel's SMB client (smb/client) allows a malicious or compromised SMB server to leak adjacent kernel heap memory to a connected Linux client. The flaw lives in smb2_compound_op() where check_wsl_eas() fails to validate that OutputBufferLength fits within iov_len before a memcpy, so a truncated response with an oversized OutputBufferLength and an early-terminated EA list triggers the read past the rsp_iov allocation. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but upstream patches have been merged across multiple stable branches.

Technical ContextAI

The bug is in the in-kernel SMB3 client (fs/smb/client) used when a Linux system mounts CIFS/SMB shares. During compounded SMB2 operations that retrieve Windows Subsystem for Linux extended attributes (WSL EAs), check_wsl_eas() walks the EA list returned by the server but accepts early termination without confirming that the server-declared OutputBufferLength is bounded by the actual iov_len of the received response buffer. smb2_compound_op() then performs memcpy(idata->wsl.eas, data[0], size[0]) using the unvalidated OutputBufferLength, reading past the end of rsp_iov into adjacent slab memory. The root cause is a classic missing-bounds-check on attacker-controlled length metadata (CWE-125 / CWE-126 out-of-bounds read class), with no CWE assigned in the input. Affected code was introduced around commit ea41367b2a602f602ea6594fc4a310520dcc64f4 and the WSL EA path landed in 6.9, with the 6.6.32-6.6.140 range also impacted per EUVD.

RemediationAI

Upgrade to a patched stable kernel: 6.6.140 or later on the 6.6 LTS line, 6.12.88 or later on the 6.12 LTS line, 7.0.7 or later on the 7.0 line, or mainline 7.1-rc3 and later, per the EUVD-listed fix versions. Distribution users should track their vendor's kernel update advisories that backport the upstream commits 512d33bc, 8d09328d, 9b3af356, a16f70a7, and dffb44b2 (https://git.kernel.org/stable/c/512d33bc8ea4ea5c19728ee118715f4b1f4d1926 and siblings). Until patched, the practical compensating control is to restrict which SMB servers the client mounts: only mount shares from trusted, hardened SMB servers, block outbound SMB (TCP/445) from clients to untrusted networks at the host or network firewall, and avoid auto-mounting user-controlled UNC paths. Disabling the CIFS/SMB client module (modprobe -r cifs; blacklist cifs) fully removes exposure but breaks any workflow that depends on SMB mounts, so use only on systems that do not legitimately need SMB. There is no need to disable WSL on Windows servers - the WSL EA handling here is on the Linux client side.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32782 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy