External risk intelligence

Linux Kernel SMB Client DACL Pointer Validation Flaw.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-46195

A vulnerability in the Linux kernel's SMB client could allow a malicious server to overwrite memory, potentially leading to system compromise. This occurs when a Linux system connects to a compromised SMB server, which then sends malformed data to exploit a flaw in how the kernel handles security descriptor offsets. Wh

2Halo Surface Signal

Linux Kernel

5.12 to before 6.6.1406.7 to before 6.12.886.13 to before 6.18.306.19 to before 7.0.77.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-46195

The vulnerability exists in the Linux kernel SMB client implementation. While network-reachable in environments where a client mounts a malicious or compromised SMB server, general public internet exposure of an SMB client is uncommon and typically restricted to internal or trusted network segments.

PCI scan relevance

PCI Relevance for CVE-2026-46195

Yes

CVE-2026-46195 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This Linux kernel vulnerability allows a malicious server to bypass security checks, potentially leading to remote code execution and impacting the confidentiality, integrity, and availability of systems, which would cause a PCI ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in the Linux kernel's SMB client could allow a malicious server to exploit memory safety issues, potentially leading to system compromise. While the exploit requires specific conditions involving a compromised server, its critical severity warrants attention to confirm relevance and exposure within your environment.

  • A server can trick the system into misinterpreting memory.
  • It affects how shared files are managed.
  • Confirm if your systems use affected shared file protocols.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by tricking a Linux system into connecting to a malicious or compromised SMB server. This connection allows the server to send specially crafted data that exploits a flaw in how the kernel handles security descriptor offsets, potentially leading to a system crash or code execution.

  • Requires connection to a malicious server.
  • Triggered by malformed security data.
  • Leads to denial-of-service or code execution.

Live Threat

Current exploitation, exposure, and threat context

When a Linux kernel client interacts with a malicious SMB server, it could be tricked into incorrectly processing security descriptor data, potentially leading to unauthorized data access or modification. This occurs when the server provides an intentionally malformed offset value that bypasses security checks in the client's handling of security descriptors during operations like changing file ownership or permissions.

  • System file metadata and permissions.
  • Malformed server response during SMB operations.
  • Unauthorized data access or modification.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in the Linux kernel's SMB client impacts systems that communicate with SMB servers. Infrastructure or platform teams managing Linux systems that use the SMB client are likely responsible for addressing this. The first practical step is to identify all Linux systems utilizing the SMB client, assess their exposure to potentially malicious SMB servers, and confirm business criticality.

  • Own vulnerability by infrastructure/platform teams.
  • Verify SMB client usage and exposure.
  • Plan remediation based on risk assessment.

Frequently asked questions

What is the Linux kernel SMB client?

The Linux kernel SMB client is a component that enables a Linux system to access and manage files shared on remote servers using the SMB protocol. It allows the operating system to interact with network drives, often used in corporate environments for centralized storage and file sharing.

What is the vulnerability class for CVE-2026-46195?

CVE-2026-46195 is a NULL pointer dereference or related memory handling weakness, classified under CWE-476. The flaw occurs because the kernel fails to properly validate memory offsets provided by a server before using them, which can cause the system to access invalid or incorrect memory locations when managing file security descriptors.

How is this vulnerability triggered?

This flaw is triggered when a Linux system connects to a malicious SMB server that sends a specially crafted, invalid offset value. The issue specifically arises when the kernel processes these security descriptors. Notably, local system activity or legitimate network traffic from trusted, benign servers will not trigger this vulnerability.

Is my system at risk?

Halo Surface Signal indicates that while the vulnerability is network-reachable, it typically requires a connection to a malicious SMB server. Since SMB clients are rarely exposed directly to the public internet and usually operate within internal or trusted network segments, the immediate risk depends on whether your systems mount file shares from untrusted or compromised external sources.

How do I respond to this threat?

Your first step is to audit your infrastructure to identify which Linux systems are actively using the SMB client to mount network shares. Once identified, prioritize systems that communicate with external or less-trusted servers. Coordinate with your platform teams to plan for kernel updates that include the necessary validation fixes for security descriptor handling.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified