CVE-2026-46195

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: validate dacloffset before building DACL pointers<br /> <br /> parse_sec_desc(), build_sec_desc(), and the chown path in<br /> id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd<br /> before proving a DACL header fits inside the returned security<br /> descriptor.<br /> <br /> On 32-bit builds a malicious server can return dacloffset near<br /> U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip<br /> past the later pointer-based bounds checks. build_sec_desc() and<br /> id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped<br /> pointer in the chmod/chown rewrite paths.<br /> <br /> Validate dacloffset numerically before building any DACL pointer and<br /> reuse the same helper at the three DACL entry points.