CVE-2026-46195

In the Linux kernel, the following vulnerability has been resolved:

smb: client: validate dacloffset before building DACL pointers

parse sec desc(), build sec desc(), and the chown path in id mode to cifs acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.

On 32-bit builds a malicious server can return dacloffset near U32 MAX, wrap the derived DACL pointer below end of acl, and then slip past the later pointer-based bounds checks. build sec desc() and id mode to cifs acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.

Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.