CRITICAL
smb WSLEAs OOB
CVE-2026-46155
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
KernelScan AI7.9HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.
02KernelScan AI Analysis
Risk summary
A malicious SMB server can cause the Linux SMB client to read beyond allocated kernel heap memory when processing WSL Extended Attributes responses. This leaks adjacent kernel slab data (Low confidentiality impact) and, because the attacker controls the read length, can read into unmapped pages causing a kernel panic/oops (High availability impact).
Vulnerability analysis
The vulnerability occurs in check_wsl_eas() which validates EA structure integrity but fails to ensure the server-provided OutputBufferLength fits within the actual received buffer size (iov_len). When a malicious server sends a truncated response with an oversized OutputBufferLength, the subsequent memcpy in smb2_compound_op() reads beyond the rsp_iov allocation boundary. The attacker-controlled length means a large value will hit unmapped pages and panic the kernel, while smaller overreads leak adjacent heap contents. The fix adds proper bounds checking by comparing the calculated EA end boundary against the actual IOV buffer end before proceeding with the copy operation.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.88 | 9b3af35645ff |
| 6.18 | 6.18.30 | 512d33bc8ea4 |
| 6.6 | 6.6.140 | dffb44b2e06a |
| 7.0 | 7.0.7 | a16f70a71be4 |
| mainline | 7.1-rc3 | 8d09328dfda0 |