{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-46185","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.103Z","datePublished":"2026-05-28T09:36:39.318Z","dateUpdated":"2026-06-14T18:01:04.745Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-14T18:01:04.745Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/client: fix out-of-bounds read in symlink_data()\n\nSince smb2_check_message() returns success without length validation for\nthe symlink error response, in symlink_data() it is possible for\niov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer\nonly contains the base SMB2 header (64 bytes), accessing\nerr->ErrorContextCount (at offset 66) or err->ByteCount later in\nsymlink_data() will cause an out-of-bounds read."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","baseScore":9.1,"baseSeverity":"CRITICAL"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/client/smb2misc.c"],"versions":[{"version":"76894f3e2f71177747b8b4763fb180e800279585","lessThan":"2be11faf79e49fb8250a181ff0b4d2b2f084af83","status":"affected","versionType":"git"},{"version":"76894f3e2f71177747b8b4763fb180e800279585","lessThan":"ef6495d4df6e7af8f3de67e65150881c880f696c","status":"affected","versionType":"git"},{"version":"76894f3e2f71177747b8b4763fb180e800279585","lessThan":"15dc0a4de743a1aaa7b859b3aea79f08c695396c","status":"affected","versionType":"git"},{"version":"76894f3e2f71177747b8b4763fb180e800279585","lessThan":"b8c8a704f0bc133deb171f6aeb6f3a684203e212","status":"affected","versionType":"git"},{"version":"76894f3e2f71177747b8b4763fb180e800279585","lessThan":"b9561402489d41149f63e001a74384863b7b30a6","status":"affected","versionType":"git"},{"version":"76894f3e2f71177747b8b4763fb180e800279585","lessThan":"d62b8d236fab503c6fec1d3e9a38bea71feaca20","status":"affected","versionType":"git"},{"version":"2d046892a493d9760c35fdaefc3017f27f91b621","status":"affected","versionType":"git"},{"version":"6.0.16","lessThan":"6.1","status":"affected","versionType":"semver"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/client/smb2misc.c"],"versions":[{"version":"6.1","status":"affected"},{"version":"0","lessThan":"6.1","status":"unaffected","versionType":"semver"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.88","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.30","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.7","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.1.175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.6.140"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.12.88"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.18.30"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"7.0.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"7.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2be11faf79e49fb8250a181ff0b4d2b2f084af83"},{"url":"https://git.kernel.org/stable/c/ef6495d4df6e7af8f3de67e65150881c880f696c"},{"url":"https://git.kernel.org/stable/c/15dc0a4de743a1aaa7b859b3aea79f08c695396c"},{"url":"https://git.kernel.org/stable/c/b8c8a704f0bc133deb171f6aeb6f3a684203e212"},{"url":"https://git.kernel.org/stable/c/b9561402489d41149f63e001a74384863b7b30a6"},{"url":"https://git.kernel.org/stable/c/d62b8d236fab503c6fec1d3e9a38bea71feaca20"}],"title":"smb/client: fix out-of-bounds read in symlink_data()","x_generator":{"engine":"bippy-1.2.0"}}}}