Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46185

CVE-2026-46185: Linux Kernel Buffer Overflow Vulnerability

CVE-2026-46185 is a buffer overflow vulnerability in the Linux kernel SMB client that causes out-of-bounds read errors in symlink handling. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-46185 Overview

CVE-2026-46185 is an out-of-bounds read vulnerability in the Linux kernel's SMB client implementation. The flaw resides in the symlink_data() function within the smb/client subsystem. The function smb2_check_message() returns success without validating the length of symlink error responses. When a response buffer contains only the base SMB2 header of 64 bytes, accessing err->ErrorContextCount at offset 66 or err->ByteCount triggers a read beyond the allocated buffer. A malicious or compromised SMB server can craft responses that drive the client into reading attacker-controlled or unmapped memory.

Critical Impact

A remote SMB server can trigger an out-of-bounds read in the Linux kernel client, potentially leaking memory contents or causing a kernel crash.

Affected Products

  • Linux kernel smb/client subsystem (CIFS/SMB2 client)
  • Distributions shipping affected upstream kernel versions prior to the referenced fix commits
  • Systems mounting remote SMB shares from untrusted or malicious servers

Discovery Timeline

  • 2026-05-28 - CVE-2026-46185 published to NVD
  • 2026-05-28 - Last updated in NVD database

Technical Details for CVE-2026-46185

Vulnerability Analysis

The defect lies in how the Linux SMB2 client processes error responses associated with symbolic link resolution. The kernel function smb2_check_message() validates incoming SMB2 messages but skips a length check for the symlink error response path. Downstream code in symlink_data() then assumes the message buffer is at least sizeof(struct smb2_err_rsp) bytes long. When the actual iov->iov_len carries only the 64-byte base SMB2 header, dereferencing fields past that boundary, including ErrorContextCount at offset 66 and the subsequent ByteCount, reads memory outside the intended buffer. This falls under out-of-bounds read [CWE-125] within kernel-mode code.

Root Cause

The root cause is missing length validation. smb2_check_message() accepts the symlink error response without confirming the buffer is large enough to contain a complete smb2_err_rsp structure. symlink_data() proceeds on the unchecked assumption that the response payload extends beyond the SMB2 header. The fix adds explicit length checks before structure field access. The patched commits are referenced in the upstream stable kernel tree: 15dc0a4, b8c8a70, b956140, d62b8d2, and ef6495d.

Attack Vector

Exploitation requires the victim Linux client to communicate with an attacker-controlled or compromised SMB server. The server responds to symlink-related operations with a malformed error response containing only the SMB2 header. When symlink_data() parses the truncated buffer, the kernel reads adjacent memory. Consequences include kernel information disclosure, kernel panic, and denial of service. Network access to a malicious share is the primary precondition for triggering the flaw.

No public exploit code is available. See the upstream patches for technical detail: Kernel Git Commit 15dc0a4 and Kernel Git Commit ef6495d.

Detection Methods for CVE-2026-46185

Indicators of Compromise

  • Kernel oops or panic messages referencing symlink_data or smb2_check_message in dmesg and system logs
  • Unexpected SMB client disconnects or mount failures when accessing remote shares
  • KASAN reports flagging out-of-bounds reads in the cifs or smb kernel modules

Detection Strategies

  • Inventory running kernel versions across Linux fleets and compare against patched stable branches listed in the upstream commits
  • Audit mount.cifs usage and identify hosts mounting shares from untrusted networks or unknown servers
  • Enable KASAN on test systems mounting SMB shares to catch boundary violations during validation

Monitoring Recommendations

  • Forward kernel logs to a centralized logging or SIEM platform and alert on cifs, smb2, or symlink related faults
  • Monitor outbound SMB traffic (TCP/445) to non-corporate destinations from Linux servers and workstations
  • Track repeated SMB session resets or protocol errors that may indicate malformed server responses

How to Mitigate CVE-2026-46185

Immediate Actions Required

  • Apply the upstream kernel patches 15dc0a4, b8c8a70, b956140, d62b8d2, or ef6495d from your distribution vendor
  • Restrict outbound SMB connectivity from Linux hosts to known, trusted file servers only
  • Unmount any SMB shares originating from untrusted networks until patches are deployed

Patch Information

The fix adds length validation before accessing smb2_err_rsp fields in the symlink error path. Patched commits are published in the stable kernel tree, including Kernel Git Commit b8c8a70, Kernel Git Commit b956140, and Kernel Git Commit d62b8d2. Consume the fix through your distribution's stable kernel update channel.

Workarounds

  • Block outbound TCP/445 and TCP/139 at the host or network firewall when SMB is not required
  • Disable automatic mounting of CIFS/SMB shares from untrusted sources in /etc/fstab and autofs configurations
  • Unload the cifs kernel module on systems that do not require SMB client functionality
bash
# Block outbound SMB and unload the client module on hosts that do not need it
sudo iptables -A OUTPUT -p tcp --dport 445 -j REJECT
sudo iptables -A OUTPUT -p tcp --dport 139 -j REJECT
sudo umount -a -t cifs
sudo modprobe -r cifs

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne