216.73.216.226

CVE-2026-46195

· Published 28/05/2026 10:16 · Modified 28/05/2026 13:44

Labels: CVE-2026-46195 2026-05-28416baaa9-dc9f-4396-8d5f-8c081fb06d67CVE-2026-46195

Essential information

Published
28/05/2026 10:16
Modified
28/05/2026 13:44
Author
Creator
CVSS
9.8 CRITICAL (v3.1)
CISA KEV
No
CWE
CWE-476
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.

NVD status

Status
Modified — CVE has been recently published to the CVE List and has been received by the NVD.
Source
nist-nvd-api
NVD
View on NVD

Affected products (CPE)

ProductCPE
linux / linux kernel cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux / linux kernel cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
linux / linux kernel cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*

References