CRITICAL🇵🇱 Wersja polska

CVE-2026-46195

CVSS 9.8pub. 2026-05-28upd. 2026-06-30

In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.

🤖 AI Analysis
How it works

The functions parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() add the server-supplied dacloffset parameter to the pntsd pointer without prior validation that the resulting pointer falls within the bounds of the returned security descriptor. On 32-bit kernel compilations, a malicious server can return a dacloffset close to the U32_MAX value, which causes the computed DACL pointer to wrap below end_of_acl. Subsequent boundary checks based on pointers are then bypassed, and the build_sec_desc() and id_mode_to_cifs_acl() functions can extract DACL fields from an incorrect memory address in the chmod/chown code paths. The fix consists of numerically validating dacloffset before creating any DACL pointer, using a shared helper function at all three DACL entry points.

Impact

An attacker controlling the SMB server response can cause arbitrary kernel memory read or overwrite, which consequently may result in privilege escalation, sensitive data disclosure, or system destabilization.

Mitigation & patch

Apply patches available from the vendor according to the references — fixes have been published in the stable branches repository of the Linux kernel (git.kernel.org/stable); recommended update to a kernel version containing the appropriate commits

Who is affected

Linux kernel — SMB client (CIFS), 32-bit compilations; specific versions indicated in vendor references (commits in stable kernel branches)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Linux Kernel

    OS
    Linux
    7.15.12 – 6.6.140 (bez)6.7 – 6.12.88 (bez)6.13 – 6.18.30 (bez)6.19 – 7.0.7 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2022-47986CRITICAL9.8⚠ KEVten sam produkt

IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on t...

CVE-2022-22954CRITICAL9.8⚠ KEVten sam produkt

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-s...

CVE-2020-4006CRITICAL9.1⚠ KEVten sam produkt

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a...