CVE-2026-46195
- Source
- https://cve.org/CVERecord?id=CVE-2026-46195
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46195.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-46195
- Downstream
- Related
- Published
- 2026-05-28T09:36:48.259Z
- Modified
- 2026-06-20T04:15:30.144299396Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- smb: client: validate dacloffset before building DACL pointers
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
smb: client: validate dacloffset before building DACL pointers
parsesecdesc(), buildsecdesc(), and the chown path in idmodetocifsacl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.
On 32-bit builds a malicious server can return dacloffset near U32MAX, wrap the derived DACL pointer below endofacl, and then slip past the later pointer-based bounds checks. buildsecdesc() and idmodetocifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.
Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46195.json" }- References
-
- https://git.kernel.org/stable/c/3b1ddba19e77ee35241cd27f16dc3e8d14e08db7
- https://git.kernel.org/stable/c/5de2665e913a10ad70aaeecf736b97276e83d995
- https://git.kernel.org/stable/c/8bd07e417b6bda67e317920584e48cb6ee442a8a
- https://git.kernel.org/stable/c/ba7f71b6161c0943dafc367565e5843d16b7d505
- https://git.kernel.org/stable/c/c688f3ed73d31943334ad2139cb02ec49664322a
- https://git.kernel.org/stable/c/f98b48151cc502ada59d9778f0112d21f2586ca3
- https://git.kernel.org/stable/c/f9dc3be8f403c1216df73e57221f44b045e7ee0b
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46195.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-46195
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbc3e9dd9d104ca1b75644eab87b38ce8a924aef4Fixed5de2665e913a10ad70aaeecf736b97276e83d995Fixedf9dc3be8f403c1216df73e57221f44b045e7ee0bFixedba7f71b6161c0943dafc367565e5843d16b7d505Fixed3b1ddba19e77ee35241cd27f16dc3e8d14e08db7Fixedc688f3ed73d31943334ad2139cb02ec49664322aFixed8bd07e417b6bda67e317920584e48cb6ee442a8aFixedf98b48151cc502ada59d9778f0112d21f2586ca3
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced5.12.0Fixed5.15.210
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.176
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.140
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.88
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.30
- Type
- ECOSYSTEM
- Events
-
Introduced6.19.0Fixed7.0.7