CVE-2026-46195: smb: client: validate dacloffset before building DACL pointers
In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.
HarborGuard Analysis
HarborGuard analysisSynopsis
An integer-overflow/pointer-wrap vulnerability exists in the Linux kernel SMB client's DACL (Discretionary Access Control List) parsing code. A malicious SMB server can send a crafted dacloffset value near the 32-bit unsigned integer maximum, causing pointer arithmetic to wrap below the end-of-buffer boundary and slip past subsequent bounds checks. Successful exploitation gives a remote attacker unauthenticated read, write, and crash capability against any host mounting an attacker-controlled SMB share. A patched-image rebuild is available on HarborGuard for environments running an affected kernel version.
HarborGuard Coverage
Detection of CVE-2026-46195 is available across every HarborGuard environment; the CVE is ingested from upstream Linux kernel security feeds within minutes of publication and matched against all customer images, including custom-built images that bundle an affected kernel version. Coverage extends to both base images pulled from public registries and internally built images pushed through customer CI pipelines.
AvailableHarborGuard is capable of scoring this finding at CVSS 9.8 (Critical, v3.1) and weighting it against each environment's compliance policy to reflect actual exposure. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableA patched-image rebuild targeting the fix versions (6.6.140, 6.12.88, or 6.18.30 depending on the kernel branch in use) is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads; for Critical-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the target host over the network by acting as or controlling an SMB server that the victim host connects to.
- AuthenticationNot required
No credentials are needed; the malicious server can deliver the crafted dacloffset in a normal unauthenticated or pre-auth SMB response before any privilege check on the client side matters.
- Victim interactionNot required
No user action beyond the host having an SMB share mounted or an SMB connection initiated is necessary; the exploit is triggered by the server's response.
- Attack complexityDetail
Attack complexity is low; the exploit is reliable and requires no race condition, memory-layout guessing, or other environmental precondition beyond a 32-bit kernel build mounting the attacker's share.
Blast Radius
- An attacker can read arbitrary kernel memory reachable through the wrapped DACL pointer, exposing credentials, session tokens, or other sensitive data held in kernel buffers.
- An attacker can write to arbitrary kernel memory via the chmod/chown rewrite paths in build_sec_desc() and id_mode_to_cifs_acl(), allowing modification of security descriptors, file permissions, or other persisted kernel structures.
- An attacker can crash the affected kernel by dereferencing an invalid pointer, causing a denial-of-service for all workloads on the host.
- On 32-bit kernel builds the impact is most direct, but any kernel build that follows the affected code paths is exposed to memory corruption with consequences up to full host compromise.
How HarborGuard Handles This
Available on HarborGuard: images containing Linux kernel versions prior to 6.6.140, 6.12.88, or 6.18.30 (depending on the 6.6, 6.12, or 6.18 branch in use) are flagged as affected by this Critical-severity CVE. Where a customer's compliance policy permits auto-remediation, HarborGuard can trigger a patched-image rebuild at the appropriate fix version, execute a regression-test run, and open a pull request against affected workloads; for Critical-severity findings the median time from CVE publication to merged patch PR is approximately 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is surfaced in the HarborGuard dashboard with fix-version guidance so teams can act manually. As a compensating control while a rebuild is prepared, network policy can be used to restrict outbound SMB (TCP 445) connections from container workloads to trusted server addresses only, limiting exposure to attacker-controlled shares.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- 0
- Affected Products
- 2
Fix available
- Linux / Linux< ba7f71b6161c0943dafc367565e5843d16b7d505 (from bc3e9dd9d104ca1b75644eab87b38ce8a924aef4) · < 3b1ddba19e77ee35241cd27f16dc3e8d14e08db7 (from bc3e9dd9d104ca1b75644eab87b38ce8a924aef4) · < c688f3ed73d31943334ad2139cb02ec49664322a (from bc3e9dd9d104ca1b75644eab87b38ce8a924aef4) · < 8bd07e417b6bda67e317920584e48cb6ee442a8a (from bc3e9dd9d104ca1b75644eab87b38ce8a924aef4) · < f98b48151cc502ada59d9778f0112d21f2586ca3 (from bc3e9dd9d104ca1b75644eab87b38ce8a924aef4)
- Linux / Linux5.12Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H