CVE-2026-46139

NONE EPSS 2.3%
Published May 28, 20261mo ago · Modified Jun 17, 20261w ago
Find Similar
Published May 28, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: smb: client: use kzalloc to zero-initialize security descriptor buffer Commit 62e7dd0a39c2d ("smb: common: change the data type of num_aces to le16") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1]. When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data. When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with "ndr_pull_security_descriptor failed: Range Error", causing chmod to fail with EINVAL. Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized. [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428

Threat Intelligence

EPSS Exploit Probability
2.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 5

  • git.kernel.org https://git.kernel.org/stable/c/4c3ed344a970aad51388ac3b0145b98318f0e21f
  • git.kernel.org https://git.kernel.org/stable/c/5e489c6c47a2ac15edbaca153b9348e42c1eacab
  • git.kernel.org https://git.kernel.org/stable/c/941a1e6eb35440336913afc88a82103291956d5d
  • git.kernel.org https://git.kernel.org/stable/c/9bdb2ca31368b7671949dfb94a5d57ffccd01edd
  • git.kernel.org https://git.kernel.org/stable/c/be1ef9512a3f5a755895c24f31b334342f4aa15b

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.