PT-2026-44318 · Linux · Linux Kernel

Published

2026-05-28

·

Updated

2026-07-15

·

CVE-2026-46195

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description An issue exists in the SMB client where the server-supplied dacloffset is added to pntsd before verifying if a DACL header fits within the returned security descriptor. On 32-bit builds, a malicious server can provide a dacloffset value near U32 MAX, causing the derived DACL pointer to wrap around below end of acl and bypass pointer-based bounds checks. This allows the build sec desc() and id mode to cifs acl() functions to dereference DACL fields from the wrapped pointer during chmod or chown rewrite paths. The affected functions include parse sec desc(), build sec desc(), and the chown path in id mode to cifs acl().
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

DoS

Memory Corruption

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-46195
ECHO-C1E1-4615-F038
OPENSUSE-SU-2026:10954-1
USN-8488-1
USN-8488-2
USN-8489-1
USN-8490-1
USN-8490-2
USN-8491-1
USN-8492-1
USN-8492-2
USN-8492-3
USN-8492-4
USN-8492-5
USN-8493-1
USN-8493-2
USN-8497-1
USN-8498-1
USN-8499-1
USN-8507-1
USN-8508-1
USN-8527-1
USN-8528-1
USN-8545-1
USN-8546-1
USN-8547-1

Affected Products

Linux Kernel