5.5

CVE-2026-46139

smb: client: use kzalloc to zero-initialize security descriptor buffer

In the Linux kernel, the following vulnerability has been resolved:

smb: client: use kzalloc to zero-initialize security descriptor buffer

Commit 62e7dd0a39c2d ("smb: common: change the data type of num_aces
to le16") split struct smb_acl's __le32 num_aces field into __le16
num_aces and __le16 reserved. The reserved field corresponds to Sbz2
in the MS-DTYP ACL wire format, which must be zero [1].

When building an ACL descriptor in build_sec_desc(), we are using a
kmalloc()'ed descriptor buffer and writing the fields explicitly using
le16() writes now. This never writes to the 2 byte reserved field,
leaving it as uninitialized heap data.

When the reserved field happens to contain non-zero slab garbage,
Samba rejects the security descriptor with "ndr_pull_security_descriptor
failed: Range Error", causing chmod to fail with EINVAL.

Change kmalloc() to kzalloc() to ensure the entire buffer is
zero-initialized.


[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 6.12.23 < 6.12.88
LinuxLinux Kernel Version >= 6.13.11 < 6.14
LinuxLinux Kernel Version >= 6.14.1 < 6.18.30
LinuxLinux Kernel Version >= 6.19 < 7.0.7
LinuxLinux Kernel Version6.14 Update-
LinuxLinux Kernel Version6.14 Updaterc6
LinuxLinux Kernel Version6.14 Updaterc7
LinuxLinux Kernel Version7.1 Updaterc1
LinuxLinux Kernel Version7.1 Updaterc2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.12% 0.023
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-908 Use of Uninitialized Resource

The product uses or accesses a resource that has not been initialized.

https://git.kernel.org/stable/c/4c3ed344a970aad51388ac3b0145b98318f0e21f
Patch
https://git.kernel.org/stable/c/941a1e6eb35440336913afc88a82103291956d5d
Patch
https://git.kernel.org/stable/c/be1ef9512a3f5a755895c24f31b334342f4aa15b
Patch
https://git.kernel.org/stable/c/9bdb2ca31368b7671949dfb94a5d57ffccd01edd
Patch
https://git.kernel.org/stable/c/5e489c6c47a2ac15edbaca153b9348e42c1eacab
Patch