CRITICAL
smb/client Symlink OOB
CVE-2026-46185
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
KernelScan AI5.3MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.
02KernelScan AI Analysis
Risk summary
A malicious SMB server can send a truncated STATUS_STOPPED_ON_SYMLINK error response that causes the Linux SMB client to read a few bytes beyond the receive buffer in symlink_data(). This leaks a small amount of adjacent kernel memory to the client. Any system that mounts SMB shares from untrusted or compromised servers is at risk.
Vulnerability analysis
The vulnerability exists in smb2_check_message(), which contains a special-case bypass for STATUS_STOPPED_ON_SYMLINK responses. The bypass returns success without validating that the response buffer is large enough to hold struct smb2_err_rsp. When a malicious server sends a response containing only the 64-byte SMB2 header, subsequent code in symlink_data() accesses fields at offsets 66 and 68 (ErrorContextCount and ByteCount), resulting in a bounded out-of-bounds read of at most a handful of bytes. The fix adds a length check (len > calc_len) before permitting the bypass.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.175 | 2be11faf79e4 |
| 6.12 | 6.12.88 | 15dc0a4de743 |
| 6.18 | 6.18.30 | b8c8a704f0bc |
| 6.6 | 6.6.140 | ef6495d4df6e |
| 7.0 | 7.0.7 | b9561402489d |
| mainline | 7.1-rc3 | d62b8d236fab |