In the Linux kernel, the following vulnerability has been resolved:
smb/client: fix out-of-bounds read in smb2_compound_op()
If a server sends a truncated response but a large OutputBufferLength, and
terminates the EA list early, check_wsl_eas() returns success without
validating that the entire OutputBufferLength fits within iov_len.
Then smb2_compound_op() does:
memcpy(idata->wsl.eas, data[0], size[0]);
Where size[0] is OutputBufferLength. If iov_len is smaller than size[0],
memcpy can read beyond the end of the rsp_iov allocation and leak adjacent
kernel heap memory.
| Score | Percentile |
|---|---|
| 0.06% | 19.08% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 9.1 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-r5mc-mc43-5gch ↗ |
| CVE | CVE-2026-46155 ↗ |
| CWE id | Name |
|---|---|
| CWE-125 | Out-of-bounds Read |