CVE-2026-46139

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: use kzalloc to zero-initialize security descriptor buffer<br /> <br /> Commit 62e7dd0a39c2d ("smb: common: change the data type of num_aces<br /> to le16") split struct smb_acl&amp;#39;s __le32 num_aces field into __le16<br /> num_aces and __le16 reserved. The reserved field corresponds to Sbz2<br /> in the MS-DTYP ACL wire format, which must be zero [1].<br /> <br /> When building an ACL descriptor in build_sec_desc(), we are using a<br /> kmalloc()&amp;#39;ed descriptor buffer and writing the fields explicitly using<br /> le16() writes now. This never writes to the 2 byte reserved field,<br /> leaving it as uninitialized heap data.<br /> <br /> When the reserved field happens to contain non-zero slab garbage,<br /> Samba rejects the security descriptor with "ndr_pull_security_descriptor<br /> failed: Range Error", causing chmod to fail with EINVAL.<br /> <br /> Change kmalloc() to kzalloc() to ensure the entire buffer is<br /> zero-initialized.<br /> <br /> <br /> [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428