How is CVE-2026-46155 exploited?

Network reachability (required): The attacker must reach the SMB client over the network by operating or controlling an SMB server that the vulnerable client connects to. Authentication (not-required): No authentication is required; the malicious server triggers the read before any credential exchange by the client is necessary. Victim interaction (not-required): No victim interaction beyond an existing SMB client connection is needed; the server-side response alone triggers the vulnerable code path. Attack complexity (info): Attack complexity is low; the exploit is reliable and does not depend on race conditions, memory layout randomization, or other environmental preconditions.

What is the impact of CVE-2026-46155?

Reads adjacent kernel heap memory, which can expose in-flight credentials, session tokens, or other sensitive data structures held in kernel memory. Causes a service disruption by corrupting internal state or triggering a kernel panic, taking down the affected host or container. Any process or workload sharing the affected kernel is exposed, not just the SMB client process that initiated the connection. Kernel heap leaks can be chained with a separate write primitive to achieve further privilege escalation on the host.

Back to search

CRITICALCVE-2026-46155Published 2026-05-28Modified 2026-05-30CNA Linux

CVE-2026-46155: smb/client: fix out-of-bounds read in smb2_compound_op()

In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An out-of-bounds read vulnerability exists in the Linux kernel's SMB client, specifically in the smb2_compound_op() function. The flaw is reachable over the network without authentication: a malicious or compromised SMB server can send a truncated response with an oversized OutputBufferLength field, causing a memcpy() call to read past the end of a kernel heap allocation and leak adjacent memory. Successful exploitation discloses sensitive kernel heap contents and can crash the affected service. A patched-image rebuild is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46155 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all container images in customer registries and CI/CD pipelines, including custom-built images that carry an affected kernel version. Coverage applies to both direct scans and pipeline-gated image promotions.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 9.1 (Critical) and weighting that score against each customer environment's compliance policy to determine urgency tier. Triage output is routable to the appropriate team inbox within each customer organization based on policy-defined ownership rules.

Available

Patch

A patched-image rebuild at fix versions 6.6.140, 6.12.88, and 6.18.30 (and the corresponding upstream commit 512d33bc8ea4ea5c19728ee118715f4b1f4d1926) is available on HarborGuard for environments running an affected kernel version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the SMB client over the network by operating or controlling an SMB server that the vulnerable client connects to.
AuthenticationNot required
No authentication is required; the malicious server triggers the read before any credential exchange by the client is necessary.
Victim interactionNot required
No victim interaction beyond an existing SMB client connection is needed; the server-side response alone triggers the vulnerable code path.
Attack complexityDetail
Attack complexity is low; the exploit is reliable and does not depend on race conditions, memory layout randomization, or other environmental preconditions.

Blast Radius

Reads adjacent kernel heap memory, which can expose in-flight credentials, session tokens, or other sensitive data structures held in kernel memory.
Causes a service disruption by corrupting internal state or triggering a kernel panic, taking down the affected host or container.
Any process or workload sharing the affected kernel is exposed, not just the SMB client process that initiated the connection.
Kernel heap leaks can be chained with a separate write primitive to achieve further privilege escalation on the host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46155 fires within minutes of CVE publication for any image in a customer registry or pipeline that carries an affected Linux kernel version, including internally built images. For environments where the kernel version is confirmed affected (pre-6.6.140, pre-6.12.88, or pre-6.18.30 on the respective stable branches), a patched-image rebuild at the fix version is available. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression test run, and opens a pull request against affected workloads automatically; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes. For environments that do not yet have a compatible fix version available (such as the unfixed 6.9 branch noted in the advisory), HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched rebuild available the moment the upstream fix is published. In the interim, compensating controls include network-policy isolation to restrict outbound SMB (TCP 445) connections from container workloads to trusted server endpoints only, and egress filtering to block connections to untrusted or external SMB servers.

See how HarborGuard automates this

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: 0
Affected Products: 2

Fix available

0512d33bc8ea4ea5c19728ee118715f4b1f4d19266.6.1406.12.886.18.307.0.77.1-rc38d09328dfda089675e4c049f3f256064a1d1996b9b3af35645ff9cd334edc130249f9a2fb2bea25fa16f70a71be4b5a4eccf39a9bf09b47285f4cb7cdffb44b2e06a2908e249f0f93156fc987eee1d1c

Affected packages

Linux / Linux
< dffb44b2e06a2908e249f0f93156fc987eee1d1c (from 7449d736bbbd160c76b01b8fcdf72f58a8757d4b) · < 9b3af35645ff9cd334edc130249f9a2fb2bea25f (from ea41367b2a602f602ea6594fc4a310520dcc64f4) · < 512d33bc8ea4ea5c19728ee118715f4b1f4d1926 (from ea41367b2a602f602ea6594fc4a310520dcc64f4) · < a16f70a71be4b5a4eccf39a9bf09b47285f4cb7c (from ea41367b2a602f602ea6594fc4a310520dcc64f4) · < 8d09328dfda089675e4c049f3f256064a1d1996b (from ea41367b2a602f602ea6594fc4a310520dcc64f4) · < 6.6.140 (from 6.6.32)
Linux / Linux
6.9
Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available