ACK: [SRU][Q/J][PATCH 0/2] CVE-2026-46195
Alessio Faina
alessio.faina at canonical.com
Thu Jun 18 11:44:18 UTC 2026
On Wed, Jun 17, 2026 at 12:51:34AM +0300, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-46195
>
> [ Impact ]
>
> The SMB client code paths parse_sec_desc(), build_sec_desc(), and the chown
> path in id_mode_to_cifs_acl() add a server-supplied dacloffset to the security
> descriptor pointer before verifying that a DACL header actually fits within the
> returned buffer. On 32-bit builds a malicious server can return a dacloffset
> near U32_MAX, causing the derived DACL pointer to wrap below end_of_acl and
> bypass the later pointer-based bounds checks. The chmod/chown rewrite paths can
> then dereference DACL fields from the wrapped pointer, leading to out-of-bounds
> access driven by a hostile server.
>
> [ Fix ]
>
> questing: clean cherry-pick
> jammy: clean cherry-pick
>
> [ Test Plan ]
>
> Boot tested.
>
> [ Where Problems Could Occur ]
>
> A regression in this fix would affect the cifs/smb client ACL handling,
> potentially causing valid security descriptors to be rejected and breaking
> chmod/chown or permission lookups on SMB mounts that rely on CIFS ACL mapping.
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Acked-by: Alessio Faina <alessio.faina at canonical.com>
More information about the kernel-team
mailing list