{
  "threat_severity" : "Important",
  "public_date" : "2026-05-28T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: smb: client: validate dacloffset before building DACL pointers",
    "id" : "2482606",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2482606"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-787",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nsmb: client: validate dacloffset before building DACL pointers\nparse_sec_desc(), build_sec_desc(), and the chown path in\nid_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd\nbefore proving a DACL header fits inside the returned security\ndescriptor.\nOn 32-bit builds a malicious server can return dacloffset near\nU32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip\npast the later pointer-based bounds checks. build_sec_desc() and\nid_mode_to_cifs_acl() can then dereference DACL fields from the wrapped\npointer in the chmod/chown rewrite paths.\nValidate dacloffset numerically before building any DACL pointer and\nreuse the same helper at the three DACL entry points.", "A flaw was found in the Linux kernel's Server Message Block (SMB) client. A malicious server can exploit this vulnerability on 32-bit systems by providing a crafted dacloffset value. This can cause a pointer wrap, leading to the dereferencing of invalid Discretionary Access Control List (DACL) fields during chmod or chown operations. This memory corruption could potentially allow the malicious server to bypass security mechanisms or cause a denial of service." ],
  "statement" : "This is an Important flaw in the Linux kernel's Server Message Block (SMB) client, affecting 32-bit Red Hat Enterprise Linux systems. A malicious SMB server could exploit a pointer wrap vulnerability during chmod or chown operations, potentially leading to memory corruption, a denial of service, or security mechanism bypass. Exploitation requires the affected 32-bit system to connect to a specially crafted malicious SMB server.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21745",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.126.1.rt7.467.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21706",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.126.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21556",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-687.12.1.el9_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21556",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-687.12.1.el9_8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-46195\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-46195\nhttps://lore.kernel.org/linux-cve-announce/2026052833-CVE-2026-46195-f7ef@gregkh/T" ],
  "name" : "CVE-2026-46195",
  "mitigation" : {
    "value" : "To mitigate this issue, avoid mounting shares from untrusted SMB servers on 32-bit Red Hat Enterprise Linux systems. If interaction with untrusted SMB servers is unavoidable, consider isolating affected systems or restricting network access to only known, trusted SMB servers.",
    "lang" : "en:us"
  },
  "csaw" : false
}