A high-severity out-of-bounds read vulnerability in the Linux kernel SMB client could allow an untrusted server to leak sensitive kernel memory.

This is an Out-of-Bounds Read vulnerability (CWE-125) in the smb2_check_message() function. The flaw allows a malicious or compromised SMB server to provide a crafted symlink error response that lacks proper length checks, potentially allowing an attacker to read kernel memory via the readlink(2) system call.

With a CVSS score of 8.1, this vulnerability poses a severe risk to data confidentiality. By leaking sensitive kernel memory, an attacker could obtain information required to bypass other security protections, such as KASLR, facilitating further exploitation. The risk is particularly relevant for environments that frequently mount untrusted or remote SMB shares.

Immediate Action: Apply the latest kernel updates provided by your Linux distribution vendor to incorporate the necessary length validation fixes.

Proactive Monitoring: Review system call logs for anomalous readlink behavior or frequent SMB-related connectivity errors that might indicate an attempt to probe the client's memory.

Compensating Controls: Ensure that SMB mounts are only performed against trusted, authenticated, and hardened server infrastructure to mitigate the risk of interaction with a malicious server.

Public Exploit Available: false

This vulnerability highlights the risk of trusting remote file system responses. System administrators should prioritize updating kernel packages to ensure that SMB client operations correctly validate response lengths, effectively neutralizing the risk of kernel memory exposure.