Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-46139— smb: client: use kzalloc to zero-initialize security descriptor buffer

AI Predicted 5.3 Difficulty: Trivial EPSS 0.02% · P5

Possible ATT&CK Techniques 1AI

T1059 · Command and Scripting Interpreter

Affected Version Matrix 14

VendorProductVersion RangeStatus
LinuxLinux1593ddb37bd124c131fe635397df68e854a03108< 4c3ed344a970aad51388ac3b0145b98318f0e21faffected
da087905e3270e2291c0afae39a28e7d183e5ec3< 941a1e6eb35440336913afc88a82103291956d5daffected
62e7dd0a39c2d0d7ff03274c36df971f1b3d2d0d< be1ef9512a3f5a755895c24f31b334342f4aa15baffected
62e7dd0a39c2d0d7ff03274c36df971f1b3d2d0d< 9bdb2ca31368b7671949dfb94a5d57ffccd01eddaffected
62e7dd0a39c2d0d7ff03274c36df971f1b3d2d0d< 5e489c6c47a2ac15edbaca153b9348e42c1eacabaffected
191f2f444745087c3c51fd6042a0e25f42315ab0affected
6.12.23< 6.12.88affected
6.13.11< 6.14affected
… +6 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-46139

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
smb: client: use kzalloc to zero-initialize security descriptor buffer
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: use kzalloc to zero-initialize security descriptor buffer Commit 62e7dd0a39c2d ("smb: common: change the data type of num_aces to le16") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1]. When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data. When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with "ndr_pull_security_descriptor failed: Range Error", causing chmod to fail with EINVAL. Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized. [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于smb客户端中安全描述符缓冲区未零初始化,可能导致保留字段包含堆垃圾数据。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 1593ddb37bd124c131fe635397df68e854a03108 ~ 4c3ed344a970aad51388ac3b0145b98318f0e21f -
LinuxLinux 6.14 -

II. Public POCs for CVE-2026-46139

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-46139

登录查看更多情报信息。

Patches & Fixes for CVE-2026-46139 (5)

Same Patch Batch · Linux · 2026-05-28 · 138 CVEs total

CVE-2026-461959.8 CRITICALsmb: client: validate dacloffset before building DACL pointers
CVE-2026-461379.8 CRITICALmptcp: pm: ADD_ADDR rtx: fix potential data-race
CVE-2026-461359.8 CRITICALnvmet-tcp: fix race between ICReq handling and queue teardown
CVE-2026-461159.8 CRITICALblock: add pgmap check to biovec_phys_mergeable
CVE-2026-461859.1 CRITICALsmb/client: fix out-of-bounds read in symlink_data()
CVE-2026-461199.1 CRITICALlibceph: Fix slab-out-of-bounds access in auth message processing
CVE-2026-461559.1 CRITICALsmb/client: fix out-of-bounds read in smb2_compound_op()
CVE-2026-461258.8 HIGHwifi: mac80211: remove station if connection prep fails
CVE-2026-461748.8 HIGHx86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache
CVE-2026-461988.8 HIGHbatman-adv: fix integer overflow on buff_pos
CVE-2026-461668.8 HIGHwifi: mac80211: use safe list iteration in radar detect work
CVE-2026-461138.8 HIGHKVM: x86: Fix shadow paging use-after-free due to unexpected GFN
CVE-2026-461528.8 HIGHwifi: mac80211: drop stray 'static' from fast-RX rx_result
CVE-2026-462128.8 HIGHbatman-adv: bla: prevent use-after-free when deleting claims
CVE-2026-462388.8 HIGHbatman-adv: stop caching unowned originator pointers in BAT IV
CVE-2026-461388.1 HIGHBluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
CVE-2026-462328.1 HIGHHID: playstation: Clamp num_touch_reports
CVE-2026-461977.8 HIGHdrm/amdkfd: validate SVM ioctl nattr against buffer size
CVE-2026-461767.8 HIGHRDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
CVE-2026-461457.8 HIGHRDMA/mana: Validate rx_hash_key_len

Showing top 20 of 138 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-46139

No comments yet

Leave a comment