CVE-2026-46155: Out-of-bounds Read in SMB Client

CVE-2026-46155 is an out-of-bounds read vulnerability affecting the SMB client, specifically within the smb2_compound_op() function. This flaw could potentially allow a malicious SMB server or an attacker capable of man-in-the-middle attacks to read sensitive information from a client system by crafting a malicious response that triggers the out-of-bounds read. Microsoft has released a security update to remediate this vulnerability. Defenders should prioritize applying this patch to mitigate potential information disclosure.

Attack Chain

1. Attacker sets up a malicious SMB server or intercepts existing SMB traffic.
2. A vulnerable SMB client attempts to connect to the attacker-controlled SMB server, or the attacker intercepts an existing connection.
3. The attacker crafts a malicious SMB response packet designed to trigger the vulnerability.
4. The SMB client processes the malicious response using the smb2_compound_op() function.
5. Due to the vulnerability, smb2_compound_op() attempts to read data from an invalid memory location.
6. Sensitive information from the client’s memory is unintentionally disclosed.
7. The attacker captures the disclosed data.
8. The attacker analyzes the leaked memory content, potentially revealing sensitive information such as credentials, session keys, or other sensitive data.

Impact

Successful exploitation of CVE-2026-46155 can lead to information disclosure. The impact of this vulnerability depends on the contents of the memory that is read out-of-bounds, but could include sensitive data such as credentials or session keys, leading to further compromise of the affected system or network. The number of potential victims is dependent on the number of systems running vulnerable versions of the SMB client.

Recommendation

• Apply the security update released by Microsoft to patch CVE-2026-46155 on all affected systems (reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46155).
• Deploy the Sigma rule “Detect SMB Client Out-of-Bounds Read” to identify potential exploitation attempts.
• Monitor network traffic for anomalous SMB responses that could indicate exploitation of this vulnerability (correlate with network_connection logs).