MEDIUM 5.5

CVE-2026-46139

A flaw in the Linux kernel's SMB client code leaves a security descriptor buffer partially uninitialized when building access control lists. Specifically, a 2-byte reserved field in the ACL structure—which must be zero according to the SMB protocol specification—is left containing whatever garbage data happened to be in that heap memory. When Samba or other SMB servers validate the descriptor, they reject it if those bytes are non-zero, causing file permission operations like chmod to fail with an invalid argument error. The fix is straightforward: replace the memory allocation function with one that zeroes the buffer before use.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-908
Affected products
6 configuration(s)
Published / Modified
2026-05-28 / 2026-06-24

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: smb: client: use kzalloc to zero-initialize security descriptor buffer Commit 62e7dd0a39c2d ("smb: common: change the data type of num_aces to le16") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1]. When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data. When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with "ndr_pull_security_descriptor failed: Range Error", causing chmod to fail with EINVAL. Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized. [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46139 stems from a memory initialization gap introduced by commit 62e7dd0a39c2d, which restructured the smb_acl struct's num_aces field from a single 32-bit little-endian integer into two 16-bit fields: num_aces (__le16) and reserved (__le16). The reserved field corresponds to the Sbz2 (SHOULD be zero) field in MS-DTYP ACL wire format. The build_sec_desc() function allocates a descriptor buffer using kmalloc() and explicitly writes le16 values for individual fields, but never explicitly zeroes the reserved field. Because kmalloc() returns uninitialized heap memory, the reserved bytes retain whatever data was previously on the heap. SMB protocol implementations validate that Sbz2 equals zero; when it does not, validation fails with a range error. The kernel's SMB client then propagates this as EINVAL to user space, causing chmod and similar operations to fail. Replacing kmalloc() with kzalloc() ensures the entire buffer is zero-initialized on allocation, satisfying the protocol requirement.

Business impact

Systems using Linux SMB client functionality—particularly in multi-user or NAS environments relying on SMB/CIFS shares for permission management—may experience intermittent failures when attempting to modify file or directory permissions. Users encounter seemingly random EINVAL errors during chmod operations, eroding operational predictability and creating support overhead. The non-deterministic nature (depends on heap state) makes troubleshooting difficult. While availability impact is localized to permission management operations rather than data loss or confidentiality breach, the unpredictable failures can disrupt workflows in file-sharing and collaborative environments.

Affected systems

The vulnerability affects the Linux kernel across all active versions that include the affected SMB client code. The vulnerability was introduced by commit 62e7dd0a39c2d and persists until patched. Affected systems include any Linux distribution that uses the kernel's native SMB client (as opposed to userspace Samba), particularly in network-attached storage deployments, containerized environments with SMB mounts, and hybrid enterprises with Linux-to-Windows file sharing. Kernel versions prior to the fix are at risk; consult your distribution's advisory for specific version ranges.

Exploitability

This is not an exploitable vulnerability in the traditional sense. There is no remote attack vector, no privilege escalation path, and no mechanism for an attacker to trigger the flaw remotely. The vulnerability manifests as a local availability issue triggered naturally during normal file permission operations. Exploitation requires no special skills or tools—it occurs probabilistically when heap memory happens to contain non-zero garbage in the reserved field. No public exploit code exists, and the KEV catalog does not list it as actively exploited. The low exploitability reflects the benign attack surface: this is a data validation bug, not a memory corruption or unauthorized access flaw.

Remediation

Apply the kernel patch that changes kmalloc() to kzalloc() in the build_sec_desc() function. This one-line change ensures the security descriptor buffer is zero-initialized at allocation, guaranteeing the reserved field meets the SMB protocol requirement. Verify the patch against your kernel version and distribution advisory. No workarounds exist beyond patching; permission operations will continue to fail intermittently until the kernel is updated. Systems should prioritize updating to a kernel version that includes this fix.

Patch guidance

Obtain the patch from your Linux distribution's security advisory or upstream kernel tree. The fix involves replacing the kmalloc() call in the SMB client code with kzalloc(). Distributions have likely backported this fix into currently supported kernel versions. Check your vendor's security bulletin for the patched kernel version for your distribution and release. After applying the patch, rebuild or update the kernel and reboot. No configuration changes or manual steps are required beyond updating to the patched kernel version.

Detection guidance

Monitor system logs for repeated EINVAL errors during chmod or setfacl operations on SMB-mounted filesystems. Look for patterns where permission modifications fail sporadically but subsequent retries may succeed (indicating heap-state dependency). Enable SMB client debugging if your system supports it to capture protocol-level validation failures. Network-based detection is difficult because the failure occurs in kernel memory allocation, not on the wire; focus on endpoint logging. After patching, the absence of these errors confirms remediation.

Why prioritize this

Prioritize patching based on operational impact rather than severity score. Systems heavily dependent on SMB file sharing and permission management—NAS appliances, enterprise file servers, containerized deployments—should patch promptly to eliminate intermittent chmod failures. The CVSS 5.5 MEDIUM score reflects availability impact only; the actual user-facing disruption may warrant higher internal priority if file-sharing reliability is critical to your operations. Non-exploitability and lack of active attacks mean this is not an emergency patch, but it should be included in the next standard kernel maintenance window.

Risk score, explained

The CVSS 3.1 score of 5.5 (MEDIUM) reflects: Attack Vector Local (system access required), Attack Complexity Low (no special conditions), Privileges Required (user-level SMB access), no User Interaction needed, unchanged Scope, no Confidentiality or Integrity impact, and high Availability impact (permission operations fail). The score captures the operational disruption caused by intermittent failures but does not reflect exploitability—this is a reliability bug, not a security vulnerability in the traditional threat model. The score appropriately downgrades the perceived urgency compared to remotely exploitable flaws, though operational teams may weight the disruption more heavily.

Frequently asked questions

Will this vulnerability allow an attacker to gain unauthorized access to files?

No. This is not a privilege escalation or unauthorized access vulnerability. It only causes legitimate chmod and ACL modification operations to fail intermittently. An attacker cannot use this flaw to read, write, or modify files they should not have access to.

Why does the failure happen only sometimes, not every time?

The reserved field is left with whatever heap garbage was there before allocation. Whether that garbage is zero or non-zero depends on what other kernel code previously used that memory. This randomness causes intermittent failures—sometimes the heap happens to contain zeros, sometimes not.

Is there any workaround without patching the kernel?

No practical workaround exists. You can retry failed chmod operations (which may succeed if heap state changes), but this is unreliable. The only fix is to patch and update the kernel to a version that includes the kzalloc() change.

Do I need to do anything special after updating the kernel?

No. After installing a patched kernel and rebooting, the fix is active automatically. No configuration changes, driver updates, or user-level actions are required. Permission operations should work reliably without intermittent EINVAL errors.

This analysis is based on published CVE data and the vulnerability description. Specific patch availability, affected kernel versions, and timelines vary by Linux distribution and vendor. Consult your distribution's official security advisory for exact patched versions and update procedures. This vulnerability is not currently listed in the CISA KEV catalog and has no known public exploits. The risk score and prioritization guidance are general; adjust according to your organization's reliance on SMB file sharing and internal patch management policies. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities