External risk intelligence

Linux Kernel SMB Client Out-of-Bounds Read Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-46155

A vulnerability in the Linux kernel's SMB client allows an attacker to read adjacent kernel heap memory. This occurs when a specially crafted, truncated server response triggers an out-of-bounds read during data copying. The issue could lead to information disclosure from kernel memory if reachable.

3Halo Surface Signal

Out-of-bounds Read

Linux Kernel

6.6.32 to before 6.6.1406.9 to before 6.12.886.13 to before 6.18.306.19 to before 7.0.77.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-46155

This vulnerability exists in the Linux kernel SMB client implementation. While SMB clients are commonly used for accessing network shares, they are typically internal or restricted to specific trusted environments rather than exposed directly to the public internet. Access requires the client to connect to a potentially malicious server, making reachability possible in some deployment contexts.

PCI scan relevance

PCI Relevance for CVE-2026-46155

Yes

CVE-2026-46155 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This Linux kernel vulnerability could lead to a PCI scan failure due to its high severity score, requiring remediation.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability in the Linux kernel could allow an attacker to read sensitive information from memory. The issue stems from how the kernel handles responses from servers when accessing network shares, potentially exposing kernel heap data.

  • An issue allows reading sensitive kernel memory.
  • Attackers could exploit this to gain unauthorized information.
  • Confirm relevance and any potential exposure within your environment.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by tricking a Linux system into connecting to a malicious server using the SMB protocol. If the server sends a specially crafted, truncated response, the system may incorrectly allocate memory and then copy data beyond the intended buffer, potentially leaking sensitive information from the kernel.

  • Requires connection to a malicious server.
  • Vulnerable SMB client component is triggered.
  • Leaks adjacent kernel heap memory.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to leak adjacent kernel heap memory. This occurs when a Linux kernel acting as an SMB client encounters a specially crafted, truncated server response with a large `OutputBufferLength` and an early termination of the EA list. This can lead to a buffer over-read during data copying.

  • Kernel heap memory.
  • Truncated server response with specific conditions.
  • Information disclosure from kernel memory.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts the Linux kernel's SMB client. Ownership likely resides with the infrastructure or platform teams managing the kernel, with coordination from the security team. The first practical step is to inventory all systems running the affected kernel versions and determine their exposure to potentially untrusted SMB servers.

  • Infrastructure/Platform team ownership.
  • Verify SMB client exposure.
  • Plan kernel updates with vendor.

Frequently asked questions

What is the Linux kernel SMB client?

The Linux kernel SMB client is a core subsystem that allows your system to access files and services hosted on Windows-compatible network shares. It handles the communication between your local system and external storage servers using the SMB protocol. Because it operates at the kernel level—the deepest layer of the operating system—it has extensive access to system resources, making its security critical for maintaining overall system integrity.

What does CVE-2026-46155 mean for kernel memory?

This vulnerability is classified as an out-of-bounds read (CWE-125). It occurs when the SMB client incorrectly trusts a malicious server's instructions regarding how much data to read. Instead of stopping at the expected limit, the kernel continues to copy memory from adjacent areas in the kernel heap. This process leaks sensitive internal data that should not be accessible to the outside world, potentially exposing information residing in the system's private memory space.

How is this SMB client vulnerability triggered?

An attacker triggers this by acting as a malicious SMB server. When your Linux system attempts to connect to this server, the attacker sends a specially crafted, truncated response that claims to have a large amount of data. If the client fails to verify the size of this data against the actual space available, it attempts to read beyond the legitimate buffer. Normal, valid connections to trusted, non-malicious servers do not trigger this error.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal notes that while the Linux SMB client is often used in restricted, internal environments, your system could be at risk if it connects to untrusted or compromised servers. Because the vulnerability is triggered by an outbound connection to a malicious host, even internal systems are susceptible if they perform networking tasks involving untrusted network shares or if an attacker positions a rogue server within your network's reach.

What should I do to address this CVE?

First, identify all systems in your environment that run the affected Linux kernel versions. Since this is a kernel-level issue, remediation requires applying official security patches provided by your Linux distribution vendor. Coordinate with your infrastructure or platform teams to prioritize patching systems that frequently connect to external or untrusted network storage, as these represent the highest point of risk.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified