NULL Pointer Dereference Affecting kernel-debug-core package, versions <0:5.14.0-687.17.1.el9_8


Severity

Recommended
high

Based on Oracle Linux security rating.

Threat Intelligence

EPSS
0.68% (48th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ORACLE9-KERNELDEBUGCORE-17757918
  • published1 Jul 2026
  • disclosed28 May 2026

Introduced: 28 May 2026

CVE-2026-46195  (opens in a new tab)
CWE-476  (opens in a new tab)

How to fix?

Upgrade Oracle:9 kernel-debug-core to version 0:5.14.0-687.17.1.el9_8 or higher.
This issue was patched in ELSA-2026-21556.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-debug-core package and not the kernel-debug-core package as distributed by Oracle. See How to fix? for Oracle:9 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

smb: client: validate dacloffset before building DACL pointers

parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.

On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.

Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.

CVSS Base Scores

version 3.1