CVE-2026-46185 Linux CVE debrief

Who should care

Organizations running Linux systems with SMB/CIFS client functionality enabled, particularly those mounting shares from potentially untrusted or compromised servers. System administrators responsible for kernel security patching and network file system configurations should prioritize this update.

Technical summary

The vulnerability exists in the SMB client (`smb/client`) subsystem of the Linux kernel. The `smb2_check_message()` function fails to perform length validation specifically for symlink error responses, returning success regardless of actual buffer size. The `symlink_data()` function then assumes sufficient buffer length and accesses `struct smb2_err_rsp` fields at offsets that may exceed the actual `iov->iov_len`. With a minimal 64-byte SMB2 header response, accesses to `ErrorContextCount` (offset 66) and `ByteCount` cause out-of-bounds memory reads. The fix adds appropriate length validation before field access.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates from the relevant stable branches once patches are available through distribution channels
• Monitor kernel security advisories from your Linux distribution for specific package updates
• Consider restricting SMB client connections to trusted servers until patches are deployed
• Review SMB client configurations for systems processing symbolic links from untrusted network sources

Evidence notes

The vulnerability description indicates that `smb2_check_message()` lacks length validation for symlink error responses, and `symlink_data()` subsequently accesses `err->ErrorContextCount` at offset 66 and `err->ByteCount` without bounds checking. The fix commits referenced in the source material address this validation gap.

Official resources