PT-2026-44318 · Linux · Linux Kernel
Published
2026-05-28
·
Updated
2026-07-15
·
CVE-2026-46195
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel (affected versions not specified)
Description
An issue exists in the SMB client where the server-supplied
dacloffset is added to pntsd before verifying if a DACL header fits within the returned security descriptor. On 32-bit builds, a malicious server can provide a dacloffset value near U32 MAX, causing the derived DACL pointer to wrap around below end of acl and bypass pointer-based bounds checks. This allows the build sec desc() and id mode to cifs acl() functions to dereference DACL fields from the wrapped pointer during chmod or chown rewrite paths. The affected functions include parse sec desc(), build sec desc(), and the chown path in id mode to cifs acl().Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
DoS
Memory Corruption
NULL Pointer Dereference
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux Kernel