CVE-2026-46139
Description
In the Linux kernel, the following vulnerability has been resolved:
smb: client: use kzalloc to zero-initialize security descriptor buffer
Commit 62e7dd0a39c2d ("smb: common: change the data type of num_aces to le16") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].
When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.
When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with "ndr_pull_security_descriptor failed: Range Error", causing chmod to fail with EINVAL.
Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.
[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Non-zero kernel heap data left in a reserved ACL field causes Samba to reject security descriptors, breaking chmod on SMB mounts. The fix uses kzalloc to zero the buffer.
Vulnerability
In the Linux kernel's SMB client, build_sec_desc() in smb/client uses kmalloc() to allocate a security descriptor buffer. The struct smb_acl contains a 2-byte reserved field (Sbz2) that must be zero per the MS-DTYP specification, but the code never explicitly zeros it after allocation. When the heap chunk contains non-zero garbage, Samba rejects the descriptor with a range error, causing chmod to fail with EINVAL. The vulnerability affects kernels containing commit 62e7dd0a39c2d (which split num_aces into __le16 num_aces and __le16 reserved) and was fixed in commit be1ef9512a3f.
Exploitation
An attacker needs no special privileges; the bug is triggered during normal file permission changes on an SMB share. When a user runs chmod on a file or directory mounted via SMB, the kernel builds a security descriptor in the heap. If the reserved 2-byte field in the ACL structure happens to be non-zero (a normal heap behavior), Samba's ndr_pull_security_descriptor fails, returning EINVAL to the user. No authentication bypass or remote access is required beyond the ability to issue chmod on a client that mounts the share.
Impact
A local user can cause a denial of service (chmod failure) on SMB-mounted filesystems. The operation fails silently from the user's perspective — permission changes are not applied. The bug does not lead to privilege escalation, information disclosure, or remote code execution; the impact is limited to availability of file permission management on SMB shares. The attacker gains the ability to disrupt legitimate permission changes, potentially affecting system administration or automated workflows.
Mitigation
The fix was applied in Linux kernel commit be1ef9512a3f ("smb: client: use kzalloc to zero-initialize security descriptor buffer"), which replaces kmalloc() with kzalloc() to guarantee zero-initialization. Users should update to a kernel containing this commit. The vulnerable versions are those with commit 62e7dd0a39c2d introduced and before the fix. No workaround other than patching is documented; the vulnerability is not listed in CISA's KEV as of publication. If patching is not immediately possible, administrators may need to avoid chmod on SMB mounts or temporarily use alternative file transfer methods.
[1]
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
10be1ef9512a3fsmb: client: use kzalloc to zero-initialize security descriptor buffer
1 file changed · +1 −2
fs/smb/client/cifsacl.c+1 −2 modifieddiff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c index 1d9e2e742ed716..5b43d5ddfd94ad 100644 --- a/fs/smb/client/cifsacl.c +++ b/fs/smb/client/cifsacl.c @@ -1685,7 +1685,7 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode, * descriptor parameters, and security descriptor itself */ nsecdesclen = max_t(u32, nsecdesclen, DEFAULT_SEC_DESC_LEN); - pnntsd = kmalloc(nsecdesclen, GFP_KERNEL); + pnntsd = kzalloc(nsecdesclen, GFP_KERNEL); if (!pnntsd) { kfree(pntsd); cifs_put_tlink(tlink); -- cgit 1.3-korg
5e489c6c47a2smb: client: use kzalloc to zero-initialize security descriptor buffer
1 file changed · +1 −2
fs/smb/client/cifsacl.c+1 −2 modifieddiff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c index ec5d477793040c..a2750f1e3d90bd 100644 --- a/fs/smb/client/cifsacl.c +++ b/fs/smb/client/cifsacl.c @@ -1732,7 +1732,7 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode, * descriptor parameters, and security descriptor itself */ nsecdesclen = max_t(u32, nsecdesclen, DEFAULT_SEC_DESC_LEN); - pnntsd = kmalloc(nsecdesclen, GFP_KERNEL); + pnntsd = kzalloc(nsecdesclen, GFP_KERNEL); if (!pnntsd) { kfree(pntsd); cifs_put_tlink(tlink); -- cgit 1.3-korg
4c3ed344a970smb: client: use kzalloc to zero-initialize security descriptor buffer
1 file changed · +1 −2
fs/smb/client/cifsacl.c+1 −2 modifieddiff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c index 84a2816f9e34df..2422ac371262b3 100644 --- a/fs/smb/client/cifsacl.c +++ b/fs/smb/client/cifsacl.c @@ -1766,7 +1766,7 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode, * descriptor parameters, and security descriptor itself */ nsecdesclen = max_t(u32, nsecdesclen, DEFAULT_SEC_DESC_LEN); - pnntsd = kmalloc(nsecdesclen, GFP_KERNEL); + pnntsd = kzalloc(nsecdesclen, GFP_KERNEL); if (!pnntsd) { kfree(pntsd); cifs_put_tlink(tlink); -- cgit 1.3-korg
9bdb2ca31368smb: client: use kzalloc to zero-initialize security descriptor buffer
1 file changed · +1 −2
fs/smb/client/cifsacl.c+1 −2 modifieddiff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c index 4ec204d2c7742b..62fccba6fede72 100644 --- a/fs/smb/client/cifsacl.c +++ b/fs/smb/client/cifsacl.c @@ -1732,7 +1732,7 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode, * descriptor parameters, and security descriptor itself */ nsecdesclen = max_t(u32, nsecdesclen, DEFAULT_SEC_DESC_LEN); - pnntsd = kmalloc(nsecdesclen, GFP_KERNEL); + pnntsd = kzalloc(nsecdesclen, GFP_KERNEL); if (!pnntsd) { kfree(pntsd); cifs_put_tlink(tlink); -- cgit 1.3-korg
941a1e6eb354smb: client: use kzalloc to zero-initialize security descriptor buffer
1 file changed · +1 −2
fs/smb/client/cifsacl.c+1 −2 modifieddiff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c index 871fba0762eeb8..1026cbcf1d4fcd 100644 --- a/fs/smb/client/cifsacl.c +++ b/fs/smb/client/cifsacl.c @@ -1738,7 +1738,7 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode, * descriptor parameters, and security descriptor itself */ nsecdesclen = max_t(u32, nsecdesclen, DEFAULT_SEC_DESC_LEN); - pnntsd = kmalloc(nsecdesclen, GFP_KERNEL); + pnntsd = kzalloc(nsecdesclen, GFP_KERNEL); if (!pnntsd) { kfree(pntsd); cifs_put_tlink(tlink); -- cgit 1.3-korg
4c3ed344a970smb: client: use kzalloc to zero-initialize security descriptor buffer
1 file changed · +1 −2
fs/smb/client/cifsacl.c+1 −2 modifieddiff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c index 84a2816f9e34df..2422ac371262b3 100644 --- a/fs/smb/client/cifsacl.c +++ b/fs/smb/client/cifsacl.c @@ -1766,7 +1766,7 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode, * descriptor parameters, and security descriptor itself */ nsecdesclen = max_t(u32, nsecdesclen, DEFAULT_SEC_DESC_LEN); - pnntsd = kmalloc(nsecdesclen, GFP_KERNEL); + pnntsd = kzalloc(nsecdesclen, GFP_KERNEL); if (!pnntsd) { kfree(pntsd); cifs_put_tlink(tlink); -- cgit 1.3-korg
5e489c6c47a2smb: client: use kzalloc to zero-initialize security descriptor buffer
1 file changed · +1 −2
fs/smb/client/cifsacl.c+1 −2 modifieddiff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c index ec5d477793040c..a2750f1e3d90bd 100644 --- a/fs/smb/client/cifsacl.c +++ b/fs/smb/client/cifsacl.c @@ -1732,7 +1732,7 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode, * descriptor parameters, and security descriptor itself */ nsecdesclen = max_t(u32, nsecdesclen, DEFAULT_SEC_DESC_LEN); - pnntsd = kmalloc(nsecdesclen, GFP_KERNEL); + pnntsd = kzalloc(nsecdesclen, GFP_KERNEL); if (!pnntsd) { kfree(pntsd); cifs_put_tlink(tlink); -- cgit 1.3-korg
941a1e6eb354smb: client: use kzalloc to zero-initialize security descriptor buffer
1 file changed · +1 −2
fs/smb/client/cifsacl.c+1 −2 modifieddiff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c index 871fba0762eeb8..1026cbcf1d4fcd 100644 --- a/fs/smb/client/cifsacl.c +++ b/fs/smb/client/cifsacl.c @@ -1738,7 +1738,7 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode, * descriptor parameters, and security descriptor itself */ nsecdesclen = max_t(u32, nsecdesclen, DEFAULT_SEC_DESC_LEN); - pnntsd = kmalloc(nsecdesclen, GFP_KERNEL); + pnntsd = kzalloc(nsecdesclen, GFP_KERNEL); if (!pnntsd) { kfree(pntsd); cifs_put_tlink(tlink); -- cgit 1.3-korg
9bdb2ca31368smb: client: use kzalloc to zero-initialize security descriptor buffer
1 file changed · +1 −2
fs/smb/client/cifsacl.c+1 −2 modifieddiff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c index 4ec204d2c7742b..62fccba6fede72 100644 --- a/fs/smb/client/cifsacl.c +++ b/fs/smb/client/cifsacl.c @@ -1732,7 +1732,7 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode, * descriptor parameters, and security descriptor itself */ nsecdesclen = max_t(u32, nsecdesclen, DEFAULT_SEC_DESC_LEN); - pnntsd = kmalloc(nsecdesclen, GFP_KERNEL); + pnntsd = kzalloc(nsecdesclen, GFP_KERNEL); if (!pnntsd) { kfree(pntsd); cifs_put_tlink(tlink); -- cgit 1.3-korg
be1ef9512a3fsmb: client: use kzalloc to zero-initialize security descriptor buffer
1 file changed · +1 −2
fs/smb/client/cifsacl.c+1 −2 modifieddiff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c index 1d9e2e742ed716..5b43d5ddfd94ad 100644 --- a/fs/smb/client/cifsacl.c +++ b/fs/smb/client/cifsacl.c @@ -1685,7 +1685,7 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode, * descriptor parameters, and security descriptor itself */ nsecdesclen = max_t(u32, nsecdesclen, DEFAULT_SEC_DESC_LEN); - pnntsd = kmalloc(nsecdesclen, GFP_KERNEL); + pnntsd = kzalloc(nsecdesclen, GFP_KERNEL); if (!pnntsd) { kfree(pntsd); cifs_put_tlink(tlink); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing zero-initialization of a kmalloc()'ed security descriptor buffer leaves a required-zero reserved field as uninitialized heap data."
Attack vector
An attacker on the SMB server side (e.g., a Samba server) can trigger this bug when the client performs a `chmod` operation. The client builds an ACL security descriptor in `build_sec_desc()` using a `kmalloc()`'ed buffer and writes fields with explicit `le16()` writes, but never writes to the 2-byte `reserved` field. If that field contains non-zero slab garbage, the Samba server rejects the descriptor with "ndr_pull_security_descriptor failed: Range Error", causing `chmod` to fail with `EINVAL` [patch_id=2898365]. No authentication bypass or privilege escalation is involved; the impact is a denial of service on file permission changes.
Affected code
The bug is in `fs/smb/client/cifsacl.c` in the function `id_mode_to_cifs_acl()`. The security descriptor buffer `pnntsd` is allocated via `kmalloc()` without zero-initialization, leaving the 2-byte `reserved` field of `struct smb_acl` as uninitialized heap data [patch_id=2898365].
What the fix does
The patch changes `kmalloc(nsecdesclen, GFP_KERNEL)` to `kzalloc(nsecdesclen, GFP_KERNEL)` in `id_mode_to_cifs_acl()` [patch_id=2898365]. This ensures the entire security descriptor buffer is zero-initialized, so the 2-byte `reserved` field (which corresponds to Sbz2 in the MS-DTYP ACL wire format and must be zero) is always set to zero rather than containing uninitialized heap garbage. The fix is minimal and targeted — only the allocation call is changed, with no other logic modifications.
Preconditions
- configThe SMB server (e.g., Samba) must enforce strict parsing of the reserved field in the ACL wire format, rejecting non-zero values.
- inputThe client must be running a kernel version that includes commit 62e7dd0a39c2d (which split the num_aces field) but not this fix.
- networkThe attacker must control or influence the SMB server to which the client connects.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/4c3ed344a970aad51388ac3b0145b98318f0e21fnvd
- git.kernel.org/stable/c/5e489c6c47a2ac15edbaca153b9348e42c1eacabnvd
- git.kernel.org/stable/c/941a1e6eb35440336913afc88a82103291956d5dnvd
- git.kernel.org/stable/c/9bdb2ca31368b7671949dfb94a5d57ffccd01eddnvd
- git.kernel.org/stable/c/be1ef9512a3f5a755895c24f31b334342f4aa15bnvd
News mentions
0No linked articles in our index yet.