PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46195 Linux CVE debrief

This CVE addresses an integer overflow vulnerability in the Linux kernel's SMB client implementation. The flaw exists in how the kernel parses security descriptors from SMB servers, specifically in the handling of the DACL (Discretionary Access Control List) offset field. On 32-bit systems, a malicious SMB server can supply a dacloffset value near U32_MAX that causes pointer arithmetic to wrap below the valid buffer bounds. This bypasses subsequent bounds checks and leads to out-of-bounds memory access when the kernel dereferences DACL fields during chmod/chown operations. The vulnerability affects three code paths: parse_sec_desc(), build_sec_desc(), and id_mode_to_cifs_acl(). The fix validates dacloffset numerically before constructing any DACL pointer and consolidates this validation into a shared helper function. This is a server-side attack vector requiring an attacker-controlled or compromised SMB server, with impact limited to 32-bit kernel builds.

Vendor
Linux
Product
Unknown
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

Organizations running 32-bit Linux systems that mount SMB/CIFS shares, particularly from external or untrusted sources; Linux distribution maintainers; security teams tracking kernel vulnerabilities in network filesystem implementations

Technical summary

The Linux kernel's SMB/CIFS client code fails to validate the dacloffset field from server-supplied security descriptors before using it in pointer arithmetic. On 32-bit architectures, a malicious server can return a dacloffset near U32_MAX, causing the derived DACL pointer to wrap below the end_of_acl boundary. This bypasses bounds checks in parse_sec_desc(), build_sec_desc(), and id_mode_to_cifs_acl(), leading to out-of-bounds memory access when DACL fields are dereferenced during permission changes. The fix introduces numerical validation of dacloffset prior to pointer construction and consolidates this check across all three affected entry points.

Defensive priority

high

Recommended defensive actions

  • Apply kernel updates from stable branches once patches are available for your distribution
  • Prioritize patching 32-bit Linux systems that mount SMB/CIFS shares from untrusted or external servers
  • Consider restricting SMB client access to trusted internal servers only as a temporary mitigation
  • Monitor for kernel security updates from your Linux distribution vendor

Evidence notes

Vulnerability description confirms integer overflow in dacloffset handling on 32-bit builds. Five kernel.org stable branch commits provided as references. No CVSS score assigned; NVD status is 'Awaiting Analysis'. No KEV listing. Vendor identified as Linux kernel based on source references.

Official resources

2026-05-28