CVE-2026-46185 Out-of-Bounds Read in SMB Client symlink_data()

CVE-2026-46185 is an out-of-bounds read vulnerability affecting the SMB client in Microsoft products. This vulnerability is located in the symlink_data() function. An attacker who successfully exploited this vulnerability could potentially read sensitive information or cause a denial-of-service condition by triggering the out-of-bounds read. This issue arises during the processing of symbolic links by the SMB client. Successful exploitation requires the attacker to control an SMB server that a victim client connects to.

Attack Chain

1. Attacker sets up a malicious SMB server.
2. Attacker crafts a symbolic link response to trigger the vulnerability.
3. Victim connects to the attacker-controlled SMB server.
4. The SMB client attempts to process the malicious symbolic link.
5. The symlink_data() function within the SMB client is called.
6. The out-of-bounds read occurs within symlink_data() due to the crafted symbolic link data.
7. Exploitation leads to information disclosure or a denial-of-service condition.

Impact

Successful exploitation of CVE-2026-46185 could allow an attacker to read sensitive information from the victim’s system memory. While the specific impact is dependent on the memory contents read, it could potentially lead to further compromise. The vulnerability could also result in a denial-of-service condition if the out-of-bounds read causes the SMB client to crash.

Recommendation

• Apply the security update released by Microsoft to patch CVE-2026-46185.
• Deploy the Sigma rule to detect potential exploitation attempts by monitoring SMB client activity related to symbolic links.
• Monitor SMB connections to untrusted or suspicious servers.