CVE Catalog

CVE-2026-46139

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

6th percentile - higher than 6% of all known CVEs

Summary

A vulnerability has been identified in the Linux kernel SMB client related to improper initialization of the security descriptor buffer. A change in the data structure caused the reserved field to remain uninitialized, leading to errors when attempting to use chmod.

Risk Assessment

Improper buffer initialization may lead to Samba rejecting the security descriptor, resulting in file operation errors. This can affect system availability and security.

Recommendation

It is recommended to update the Linux kernel to use kzalloc instead of kmalloc, ensuring proper zero-initialization of the buffer.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: smb: client: use kzalloc to zero-initialize security descriptor buffer Commit 62e7dd0a39c2d ("smb: common: change the data type of num_aces to le16") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1]. When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data. When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with "ndr_pull_security_descriptor failed: Range Error", causing chmod to fail with EINVAL. Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized. [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428

Vulnerability data from NVD (NIST) · CISA KEV · EPSS