CVE-2026-46155
9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb/client: fix out-of-bounds read in smb2_compound_op()
If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.
Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]);
Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 7449d736bbbd160c76b01b8fcdf72f58a8757d4b < dffb44b2e06a2908e249f0f93156fc987eee1d1c | affected |
| Linux | Linux | ea41367b2a602f602ea6594fc4a310520dcc64f4 < 9b3af35645ff9cd334edc130249f9a2fb2bea25f | affected |
| Linux | Linux | ea41367b2a602f602ea6594fc4a310520dcc64f4 < 512d33bc8ea4ea5c19728ee118715f4b1f4d1926 | affected |
| Linux | Linux | ea41367b2a602f602ea6594fc4a310520dcc64f4 < a16f70a71be4b5a4eccf39a9bf09b47285f4cb7c | affected |
| Linux | Linux | ea41367b2a602f602ea6594fc4a310520dcc64f4 < 8d09328dfda089675e4c049f3f256064a1d1996b | affected |
| Linux | Linux | 6.6.32 < 6.6.140 | affected |
| Linux | Linux | 6.9 | affected |
| Linux | Linux | 0 < 6.9 | unaffected |
| Linux | Linux | 6.6.140 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.88 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.30 <= 6.18.* | unaffected |
| Linux | Linux | 7.0.7 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/dffb44b2e06a2908e249f0f93156fc987eee1d1c
- https://git.kernel.org/stable/c/9b3af35645ff9cd334edc130249f9a2fb2bea25f
- https://git.kernel.org/stable/c/512d33bc8ea4ea5c19728ee118715f4b1f4d1926
- https://git.kernel.org/stable/c/a16f70a71be4b5a4eccf39a9bf09b47285f4cb7c
- https://git.kernel.org/stable/c/8d09328dfda089675e4c049f3f256064a1d1996b
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.