{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46195", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.104Z", "datePublished": "2026-05-28T09:36:48.259Z", "dateUpdated": "2026-05-30T10:48:55.662Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-30T10:48:55.662Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: validate dacloffset before building DACL pointers\n\nparse_sec_desc(), build_sec_desc(), and the chown path in\nid_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd\nbefore proving a DACL header fits inside the returned security\ndescriptor.\n\nOn 32-bit builds a malicious server can return dacloffset near\nU32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip\npast the later pointer-based bounds checks. build_sec_desc() and\nid_mode_to_cifs_acl() can then dereference DACL fields from the wrapped\npointer in the chmod/chown rewrite paths.\n\nValidate dacloffset numerically before building any DACL pointer and\nreuse the same helper at the three DACL entry points."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/cifsacl.c"], "versions": [{"version": "bc3e9dd9d104ca1b75644eab87b38ce8a924aef4", "lessThan": "ba7f71b6161c0943dafc367565e5843d16b7d505", "status": "affected", "versionType": "git"}, {"version": "bc3e9dd9d104ca1b75644eab87b38ce8a924aef4", "lessThan": "3b1ddba19e77ee35241cd27f16dc3e8d14e08db7", "status": "affected", "versionType": "git"}, {"version": "bc3e9dd9d104ca1b75644eab87b38ce8a924aef4", "lessThan": "c688f3ed73d31943334ad2139cb02ec49664322a", "status": "affected", "versionType": "git"}, {"version": "bc3e9dd9d104ca1b75644eab87b38ce8a924aef4", "lessThan": "8bd07e417b6bda67e317920584e48cb6ee442a8a", "status": "affected", "versionType": "git"}, {"version": "bc3e9dd9d104ca1b75644eab87b38ce8a924aef4", "lessThan": "f98b48151cc502ada59d9778f0112d21f2586ca3", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/cifsacl.c"], "versions": [{"version": "5.12", "status": "affected"}, {"version": "0", "lessThan": "5.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.140", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.88", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.30", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.7", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "6.6.140"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "6.12.88"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "6.18.30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "7.0.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "7.1-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ba7f71b6161c0943dafc367565e5843d16b7d505"}, {"url": "https://git.kernel.org/stable/c/3b1ddba19e77ee35241cd27f16dc3e8d14e08db7"}, {"url": "https://git.kernel.org/stable/c/c688f3ed73d31943334ad2139cb02ec49664322a"}, {"url": "https://git.kernel.org/stable/c/8bd07e417b6bda67e317920584e48cb6ee442a8a"}, {"url": "https://git.kernel.org/stable/c/f98b48151cc502ada59d9778f0112d21f2586ca3"}], "title": "smb: client: validate dacloffset before building DACL pointers", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: validate dacloffset before building DACL pointers\n\nparse_sec_desc(), build_sec_desc(), and the chown path in\nid_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd\nbefore proving a DACL header fits inside the returned security\ndescriptor.\n\nOn 32-bit builds a malicious server can return dacloffset near\nU32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip\npast the later pointer-based bounds checks. build_sec_desc() and\nid_mode_to_cifs_acl() can then dereference DACL fields from the wrapped\npointer in the chmod/chown rewrite paths.\n\nValidate dacloffset numerically before building any DACL pointer and\nreuse the same helper at the three DACL entry points."}], "id": "CVE-2026-46195", "lastModified": "2026-05-30T11:17:25.840", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-05-28T10:16:35.147", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3b1ddba19e77ee35241cd27f16dc3e8d14e08db7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8bd07e417b6bda67e317920584e48cb6ee442a8a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ba7f71b6161c0943dafc367565e5843d16b7d505"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c688f3ed73d31943334ad2139cb02ec49664322a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f98b48151cc502ada59d9778f0112d21f2586ca3"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: smb: client: validate dacloffset before building DACL pointers", "id": "2482606", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482606"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-787", "details": ["A flaw was found in the Linux kernel's Server Message Block (SMB) client. A malicious server can exploit this vulnerability on 32-bit systems by providing a crafted dacloffset value. This can cause a pointer wrap, leading to the dereferencing of invalid Discretionary Access Control List (DACL) fields during chmod or chown operations. This memory corruption could potentially allow the malicious server to bypass security mechanisms or cause a denial of service."], "name": "CVE-2026-46195", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-05-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-46195\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-46195\nhttps://lore.kernel.org/linux-cve-announce/2026052833-CVE-2026-46195-f7ef@gregkh/T"], "threat_severity": "Important"}