Skip to main content

Linux CVE-2026-31392

| EUVDEUVD-2026-18766 HIGH
2026-04-03 Linux GHSA-h833-487p-56g8
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
SUSE
HIGH
qualitative
Red Hat
5.8 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

6
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Apr 27, 2026 - 14:22 NVD
8.1 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
9229709ec8bf85ae7ca53aeee9aa14814cdc1bd2,6e9ff1eb7feedcf46ff2d0503759960ab58e7775,12b4c5d98cd7ca46d5035a57bcd995df614c14e1
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18766
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix krb5 mount with username option

Customer reported that some of their krb5 mounts were failing against a single server as the client was trying to mount the shares with wrong credentials. It turned out the client was reusing SMB session from first mount to try mounting the other shares, even though a different username= option had been specified to the other mounts.

By using username mount option along with sec=krb5 to search for principals from keytab is supported by cifs.upcall(8) since cifs-utils-4.8. So fix this by matching username mount option in match_session() even with Kerberos.

For example, the second mount below should fail with -ENOKEY as there is no 'foobar' principal in keytab (/etc/krb5.keytab). The client ends up reusing SMB session from first mount to perform the second one, which is wrong.

$ ktutil
ktutil:  add_entry -password -p testuser -k 1 -e aes256-cts
Password for testuser@ZELDA.TEST:
ktutil:  write_kt /etc/krb5.keytab
ktutil:  quit
$ klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
 ---- ----------------------------------------------------------------
   1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96)
$ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser
$ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar
$ mount -t cifs | grep -Po 'username=\K\w+'
testuser
testuser

AnalysisAI

Linux kernel SMB client incorrectly reuses Kerberos authentication sessions across multiple mounts with different username options, allowing an attacker or misconfigured system to access shares using unintended credentials. The vulnerability affects CIFS/SMB mounting with Kerberos (sec=krb5) when the username mount option is specified; the kernel fails to validate that the username parameter matches the authenticated session, causing subsequent mounts to inherit the first mount's credentials rather than failing with ENOKEY when the requested principal is absent from the keytab. This is a session management flaw that enables credential confusion and potential unauthorized share access.

Technical ContextAI

The Linux kernel's CIFS (Common Internet File System) client implements SMB session matching via the match_session() function to determine whether an existing authenticated session can be reused for subsequent mounts. Kerberos (krb5) authentication delegates credential lookup to user-space utilities such as cifs.upcall(8), which has supported principal lookup from keytab files using the username mount option since cifs-utils version 4.8. However, the session matching logic did not account for the username parameter when evaluating session eligibility under Kerberos authentication, treating all krb5-authenticated sessions as interchangeable regardless of the principal name. This violates the principle of least privilege and allows unintended principal reuse. The root cause is a missing validation step in session reuse that applies to other authentication methods (e.g., NTLM) but was omitted for Kerberos, creating an inconsistent security boundary.

RemediationAI

Update to a patched Linux kernel version that includes one or more of the upstream fixes: commit fd4547830720647d4af02ee50f883c4b1cca06e4 and related commits in the stable kernel branches. Consult your Linux distribution's security advisory for the specific patched kernel version (e.g., RHEL, Ubuntu kernel updates, stable kernel releases). Interim workaround: avoid reusing the same mount point or ensure mount commands explicitly specify unique username parameters and verify mounted shares match intended principals by inspecting mount output (mount -t cifs | grep username). Additionally, restrict CIFS mount privileges to trusted users and verify Kerberos principal configuration in /etc/krb5.keytab to ensure only intended principals are present. See upstream stable kernel references at https://git.kernel.org/stable/ for detailed patch information.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31392 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy