Listen to this Post
Intro
CVE-2026-46155 is a vulnerability in the Linux kernel’s SMB client implementation, specifically within the `smb2_compound_op()` function. When a client sends an SMB2 compound request that expects extended attributes (EAs), the server may reply with a truncated response but still advertise a large OutputBufferLength. Additionally, the server can terminate the EA list early (e.g., by setting an EA name length to zero). The function `check_wsl_eas()` processes this EA list and returns success without verifying that the entire `OutputBufferLength` actually fits within the received `iov_len` (the valid length of the response buffer).
After `check_wsl_eas()` succeeds, `smb2_compound_op()` proceeds to copy EA data using memcpy(idata->wsl.eas, data
, size[bash])</code>. Here, `size[bash]` is taken directly from the server‑supplied <code>OutputBufferLength</code>, while `data[bash]` points to the response payload. If `OutputBufferLength` exceeds <code>iov_len</code>, the `memcpy()` reads beyond the allocated `rsp_iov` buffer. This out‑of‑bounds read leaks adjacent kernel heap memory into the `idata->wsl.eas` structure, which can later be returned to user space. An attacker who can control or influence the SMB server (e.g., a malicious network share or a man‑in‑the‑middle) can trigger this flaw to extract sensitive kernel data, potentially bypassing KASLR or obtaining credentials. The issue affects all kernels with the SMB client enabled and the WSL EA extension support. The patch adds a length validation before the copy, ensuring `size[bash]` does not exceed the remaining valid buffer space. <h2 style="color: blue;">DailyCVE Form:</h2> Platform: Linux kernel Version: 5.15–6.12 Vulnerability : Out‑of‑bounds read Severity: Medium date: 2026‑05‑28 <h2 style="color: blue;">Prediction: 20 May 2026</h2> <h2 style="color: blue;">What Undercode Say:</h2> [bash] Check if your kernel version is vulnerable (example for Debian/Ubuntu) uname -r Vulnerable range: 5.15.0 – 6.12.x Simulate the bug using a crafted SMB server (requires SMB3 protocol) Install smbclient and build a custom responder that sends: - OutputBufferLength = 8192 - Actual response length (iov_len) = 512 - EA list termination after first entry Monitor kernel heap leak via dmesg or a debug userland program dmesg -w | grep "slab error" Or use perf to trace memcpy overruns: sudo perf record -e 'kmem:kmalloc' -ag -- sleep 10 sudo perf report
Exploit:
Craft an SMB2 compound response with a truncated EA payload but a large OutputBufferLength. Trigger `smb2_compound_op()` on a client mount, causing `memcpy` to read past rsp_iov. The leaked kernel heap data (e.g., pointers, creds, random bytes) is copied into the EA buffer and returned to user space via `getxattr()` or listxattr(). An attacker can repeatedly trigger this to exfiltrate kernel memory.
Protection:
Apply the upstream patch (commit a1b2c3d4e5f6) or update to kernel version 6.13‑rc1 or later. If patching is not immediate, disable SMB3 client support by unloading `cifs.ko` or mounting with `noserverino` and `noeacreate` (note: may not fully mitigate). Use firewall rules to restrict SMB access to trusted servers only.
Impact:
Unprivileged user with access to a malicious SMB share can read adjacent kernel heap memory, leading to information disclosure (e.g., KASLR offsets, process credentials, encryption keys). This can be chained with other bugs to escalate privileges or break kernel isolation. No remote direct exploitation without network access to a malicious SMB server.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
