CVE-2026-46139 Linux CVE debrief

Who should care

Organizations using Linux systems with SMB/CIFS client mounts to Samba servers, particularly those performing permission modifications (chmod) on SMB shares. System administrators managing Linux kernel deployments and security teams tracking kernel-level SMB protocol implementation vulnerabilities.

Technical summary

The Linux kernel's SMB client build_sec_desc() function allocated security descriptor buffers using kmalloc() without zero-initialization. Following a structure change that introduced a 16-bit reserved field in struct smb_acl, this reserved field (corresponding to Sbz2 in MS-DTYP ACL wire format) could contain uninitialized heap data. When non-zero, Samba servers reject the security descriptor with 'ndr_pull_security_descriptor failed: Range Error', causing chmod to return EINVAL. The fix uses kzalloc() to ensure zero-initialization of the entire buffer.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits when available from your Linux distribution
• Monitor NVD for CVSS scoring once analysis is complete
• Verify SMB client functionality with Samba servers after patching, particularly chmod operations on SMB shares
• Review custom kernel builds using SMB client code for proper initialization of security descriptor buffers

Evidence notes

The vulnerability description indicates this was resolved in the Linux kernel SMB client code. The issue was introduced by commit 62e7dd0a39c2d which changed struct smb_acl's data types. Multiple stable kernel commits are referenced as fixes. No CVSS score or severity is currently assigned by NVD (status: Awaiting Analysis).

Official resources