HarborGuard / CVE
Back to search
CRITICALCVE-2026-46185Published Modified CNA Linux

CVE-2026-46185: smb/client: fix out-of-bounds read in symlink_data()

In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An out-of-bounds read vulnerability exists in the Linux kernel's SMB client, specifically in the symlink_data() function of the SMB2 protocol handler. The flaw is reachable over the network without any authentication, allowing a malicious or compromised SMB server to send a crafted symlink error response that triggers the read past the end of a buffer. Successful exploitation exposes sensitive kernel memory contents and can crash the affected system. A patched-image rebuild is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46185 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that package an affected Linux kernel version.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 9.1 (Critical) and weighting it against each environment's compliance policy to determine urgency. Triage routing is available to direct findings to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild at fix versions 6.1, 6.6.140, and 6.12.88 is available on HarborGuard for any image found running an affected kernel. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the target system's SMB client over the network by acting as or controlling a reachable SMB server.

  • AuthenticationNot required

    No credentials are required; the malicious server can trigger the out-of-bounds read against any connecting client without authentication.

  • Victim interactionNot required

    No user interaction is needed; the kernel SMB client processes the crafted server response automatically during a symlink lookup.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental configuration to succeed.

Blast Radius

  • An attacker reads out-of-bounds kernel memory contents, which may include sensitive data such as cryptographic material, session tokens, or kernel pointers from neighboring heap or stack regions.
  • The out-of-bounds read can produce a kernel panic or oops, crashing the affected host and taking down all workloads running on it.
  • A crash loop triggered by repeated malformed responses can render the system unavailable until it is manually recovered or rebooted.
  • Leaked kernel pointers from the out-of-bounds read can weaken address-space layout randomization, lowering the barrier for follow-on exploitation.

How HarborGuard Handles This

Available on HarborGuard: detection is matched against customer images within minutes of ingestion, and a patched-image rebuild at kernel versions 6.1, 6.6.140, and 6.12.88 is available for any image carrying an affected kernel. For customers who opt into auto-remediation, HarborGuard can execute a full rebuild, run regression tests, and open a PR against affected workloads. For high- and critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with CVSS scoring and fix-version detail so teams can act manually. As a compensating control before patching, customers can apply network policy to restrict outbound SMB (TCP 445) access from container workloads to only trusted server addresses, reducing exposure to malicious server responses.

See how HarborGuard automates this

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
0
Affected Products
2

Fix available

015dc0a4de743a1aaa7b859b3aea79f08c695396c6.16.6.1406.12.886.18.307.0.77.1-rc3b8c8a704f0bc133deb171f6aeb6f3a684203e212b9561402489d41149f63e001a74384863b7b30a6d62b8d236fab503c6fec1d3e9a38bea71feaca20ef6495d4df6e7af8f3de67e65150881c880f696c
Affected packages
  • Linux / Linux
    < ef6495d4df6e7af8f3de67e65150881c880f696c (from 76894f3e2f71177747b8b4763fb180e800279585) · < 15dc0a4de743a1aaa7b859b3aea79f08c695396c (from 76894f3e2f71177747b8b4763fb180e800279585) · < b8c8a704f0bc133deb171f6aeb6f3a684203e212 (from 76894f3e2f71177747b8b4763fb180e800279585) · < b9561402489d41149f63e001a74384863b7b30a6 (from 76894f3e2f71177747b8b4763fb180e800279585) · < d62b8d236fab503c6fec1d3e9a38bea71feaca20 (from 76894f3e2f71177747b8b4763fb180e800279585) · 2d046892a493d9760c35fdaefc3017f27f91b621
  • Linux / Linux
    6.1
    Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
References