CVE-2026-46185
Description
In the Linux kernel, the following vulnerability has been resolved:
smb/client: fix out-of-bounds read in symlink_data()
Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Out-of-bounds read in Linux kernel's symlink_data() due to missing length check in smb2_check_message() for symlink error responses.
Vulnerability
An out-of-bounds read vulnerability exists in the Linux kernel's SMB client, specifically in the symlink_data() function. The issue arises because smb2_check_message() returns success for symlink error responses without validating that the message length is sufficient. In symlink_data(), if the I/O vector length (iov->iov_len) is smaller than sizeof(struct smb2_err_rsp) — for example, when the buffer contains only the base SMB2 header (64 bytes) — accessing fields like err->ErrorContextCount or err->ByteCount triggers an out-of-bounds read. This affects versions prior to the fix commit [1].
Exploitation
An attacker needs network access to send a crafted SMB2 symlink error response to the target system. No authentication is required beyond being able to communicate with the SMB server. The attacker constructs a response message that is truncated such that the base SMB2 header is present but the smb2_err_rsp structure fields are beyond the actual buffer length. When the kernel processes this response in symlink_data(), it reads memory past the buffer boundary.
Impact
Successful exploitation leads to an out-of-bounds read, potentially leaking sensitive kernel memory to the attacker. This could include cryptographic keys, process credentials, or other confidential data. The read occurs in kernel context, so the attacker may obtain information that aids in further kernel exploits. The vulnerability does not directly allow code execution or privilege escalation, but it compromises confidentiality.
Mitigation
The fix was committed to the Linux kernel stable tree [1]. Affected systems should update to a version containing commit b8c8a704f0bc133deb171f6aeb6f3a684203e212 or later. No workaround is available; applying the kernel patch is the recommended mitigation. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
10b8c8a704f0bcsmb/client: fix out-of-bounds read in symlink_data()
2 files changed · +4 −4
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index a6fc8ff398ebfa..0b37bc2a7f1c3f 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -240,7 +240,8 @@ smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server) if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index a6fc8ff398ebfa..0b37bc2a7f1c3f 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -240,7 +240,8 @@ smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server) if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
15dc0a4de743smb/client: fix out-of-bounds read in symlink_data()
2 files changed · +4 −4
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index 5a820176b6f045..7e69dd227e8770 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -239,7 +239,8 @@ smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server) if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index 5a820176b6f045..7e69dd227e8770 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -239,7 +239,8 @@ smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server) if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
ef6495d4df6esmb/client: fix out-of-bounds read in symlink_data()
2 files changed · +4 −4
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index 70a9536b03c637..dc0a441371bea0 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -239,7 +239,8 @@ smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server) if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index 70a9536b03c637..dc0a441371bea0 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -239,7 +239,8 @@ smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server) if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
b9561402489dsmb/client: fix out-of-bounds read in symlink_data()
2 files changed · +4 −4
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index 973fce3c959c4b..2a7355ce1a0783 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -241,7 +241,8 @@ smb2_check_message(char *buf, unsigned int pdu_len, unsigned int len, if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index 973fce3c959c4b..2a7355ce1a0783 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -241,7 +241,8 @@ smb2_check_message(char *buf, unsigned int pdu_len, unsigned int len, if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
d62b8d236fabsmb/client: fix out-of-bounds read in symlink_data()
2 files changed · +4 −4
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index 973fce3c959c4b..2a7355ce1a0783 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -241,7 +241,8 @@ smb2_check_message(char *buf, unsigned int pdu_len, unsigned int len, if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index 973fce3c959c4b..2a7355ce1a0783 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -241,7 +241,8 @@ smb2_check_message(char *buf, unsigned int pdu_len, unsigned int len, if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
b9561402489dsmb/client: fix out-of-bounds read in symlink_data()
2 files changed · +4 −4
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index 973fce3c959c4b..2a7355ce1a0783 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -241,7 +241,8 @@ smb2_check_message(char *buf, unsigned int pdu_len, unsigned int len, if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index 973fce3c959c4b..2a7355ce1a0783 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -241,7 +241,8 @@ smb2_check_message(char *buf, unsigned int pdu_len, unsigned int len, if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
d62b8d236fabsmb/client: fix out-of-bounds read in symlink_data()
2 files changed · +4 −4
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index 973fce3c959c4b..2a7355ce1a0783 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -241,7 +241,8 @@ smb2_check_message(char *buf, unsigned int pdu_len, unsigned int len, if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index 973fce3c959c4b..2a7355ce1a0783 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -241,7 +241,8 @@ smb2_check_message(char *buf, unsigned int pdu_len, unsigned int len, if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
ef6495d4df6esmb/client: fix out-of-bounds read in symlink_data()
2 files changed · +4 −4
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index 70a9536b03c637..dc0a441371bea0 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -239,7 +239,8 @@ smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server) if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index 70a9536b03c637..dc0a441371bea0 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -239,7 +239,8 @@ smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server) if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
15dc0a4de743smb/client: fix out-of-bounds read in symlink_data()
2 files changed · +4 −4
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index 5a820176b6f045..7e69dd227e8770 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -239,7 +239,8 @@ smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server) if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index 5a820176b6f045..7e69dd227e8770 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -239,7 +239,8 @@ smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server) if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
b8c8a704f0bcsmb/client: fix out-of-bounds read in symlink_data()
2 files changed · +4 −4
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index a6fc8ff398ebfa..0b37bc2a7f1c3f 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -240,7 +240,8 @@ smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server) if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
fs/smb/client/smb2misc.c+2 −2 modifieddiff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index a6fc8ff398ebfa..0b37bc2a7f1c3f 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -240,7 +240,8 @@ smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server) if (len != calc_len) { /* create failed on symlink */ if (command == SMB2_CREATE_HE && - shdr->Status == STATUS_STOPPED_ON_SYMLINK) + shdr->Status == STATUS_STOPPED_ON_SYMLINK && + len > calc_len) return 0; /* Windows 7 server returns 24 bytes more */ if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing length validation in smb2_check_message() allows a symlink error response shorter than sizeof(struct smb2_err_rsp) to pass through, leading to an out-of-bounds read in symlink_data()."
Attack vector
An attacker on the network (or a malicious SMB server) sends a crafted SMB2 CREATE response with STATUS_STOPPED_ON_SYMLINK that is smaller than the expected error response structure — for example, only the 64-byte SMB2 header. The function smb2_check_message() previously returned success for any length mismatch on this status code without checking whether the actual length was larger than the calculated length [patch_id=2897958]. When symlink_data() subsequently reads err->ErrorContextCount (offset 66) or err->ByteCount, it reads beyond the valid buffer, causing an out-of-bounds read.
Affected code
The vulnerable code is in fs/smb/client/smb2misc.c, in the function smb2_check_message(). The symlink error-path special case (for SMB2_CREATE_HE with STATUS_STOPPED_ON_SYMLINK) lacked a check that the actual message length (len) is greater than the calculated length (calc_len).
What the fix does
The patch adds the condition `len > calc_len` to the existing symlink special-case in smb2_check_message() [patch_id=2897958]. Previously the function returned 0 (success) for any length mismatch when the command was SMB2_CREATE_HE and status was STATUS_STOPPED_ON_SYMLINK. With the fix, it only returns success when the actual length exceeds the calculated length (i.e., the response is plausibly larger than the base header), preventing undersized buffers from being accepted and later read out of bounds in symlink_data().
Preconditions
- networkThe attacker must be able to send a crafted SMB2 CREATE response to the client, or control a malicious SMB server that the client connects to.
- inputThe client must issue an SMB2 CREATE request that triggers a symlink error response (STATUS_STOPPED_ON_SYMLINK).
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/15dc0a4de743a1aaa7b859b3aea79f08c695396cnvd
- git.kernel.org/stable/c/b8c8a704f0bc133deb171f6aeb6f3a684203e212nvd
- git.kernel.org/stable/c/b9561402489d41149f63e001a74384863b7b30a6nvd
- git.kernel.org/stable/c/d62b8d236fab503c6fec1d3e9a38bea71feaca20nvd
- git.kernel.org/stable/c/ef6495d4df6e7af8f3de67e65150881c880f696cnvd
News mentions
0No linked articles in our index yet.