DEBIAN-CVE-2026-46195

In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parsesecdesc(), buildsecdesc(), and the chown path in idmodetocifsacl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32MAX, wrap the derived DACL pointer below endofacl, and then slip past the later pointer-based bounds checks. buildsecdesc() and idmodetocifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.