In the Linux kernel, the following vulnerability has been resolved:
smb/client: fix out-of-bounds read in smb2compoundop()
If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, checkwsleas() returns success without validating that the entire OutputBufferLength fits within iov_len.
Then smb2compoundop() does: memcpy(idata->wsl.eas, data[0], size[0]);
Where size[0] is OutputBufferLength. If iovlen is smaller than size[0], memcpy can read beyond the end of the rspiov allocation and leak adjacent kernel heap memory.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46155.json",
"cna_assigner": "Linux"
}