HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46243Published Modified CNA Linux

CVE-2026-46243: smb: client: reject userspace cifs.spnego descriptions

In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a privilege escalation vulnerability in the Linux kernel's SMB (CIFS) client. A local attacker with a low-privilege account can exploit it by injecting malicious cifs.spnego key descriptions via the userspace request_key(2) or add_key(2) syscalls, supplying authority-bearing fields (pid, uid, creduid, upcall_target) that the kernel's cifs.upcall treats as trusted kernel-originating inputs. Successful exploitation gives the attacker full read, write, and crash capability over the affected system. Patched-image rebuilds at the identified fix commits and version 5.10.258 are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46243 is available across every HarborGuard environment: the CVE is ingested from upstream Linux kernel security feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle an affected kernel or kernel modules.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.8 (HIGH, v3.1) and weighting it against each environment's compliance policy to determine urgency. Triage results are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild targeting the fix commits (including the 5.10.258 stable release) becomes available on HarborGuard once the upstream fix is confirmed; for customers who opt into auto-remediation, this triggers an automated rebuild, a regression-test run, and a pull request opened against affected workloads. Where compliance policy permits auto-remediation, median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network exposure is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; no administrative rights are needed to call request_key(2) or add_key(2).

  • Victim interactionNot required

    The exploit executes without requiring any action from another user or an administrator.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions or specific memory layout requirements must be satisfied.

Blast Radius

  • Reads sensitive credential material, including uid, pid, and authentication tokens stored in CIFS spnego keys.
  • Modifies authority-bearing key fields that the kernel trusts as kernel-originating, enabling credential substitution or privilege escalation.
  • Crashes or destabilizes the affected host through kernel-level memory or state corruption reachable via the injected key data.
  • Compromises the confidentiality, integrity, and availability of any filesystems mounted over SMB/CIFS on the affected host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46243 runs against all images in customer registries and pipelines within minutes of feed ingestion, including custom-built images that package an affected Linux kernel. For customers who opt into auto-remediation, a patched-image rebuild targeting the upstream fix commits and stable version 5.10.258 becomes available, followed by an automated regression-test run and a pull request opened against affected workloads. Where compliance policy permits, median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes. Customers who have not opted into auto-remediation will see the rebuilt image listed as available in the HarborGuard dashboard and can promote it manually. As an interim compensating control, restricting unprivileged access to the add_key(2) and request_key(2) syscalls via seccomp policy or Linux Security Module rules limits the attack surface until a patched image is deployed.

See how HarborGuard automates this

Fix available

00aece6685fc80a8de492688ca2315fb86ec379c72035acfb17221729b1b8ac335e941868a04ca0793da1fdf4efbc490041eb4f836bf596201203f8f25.10.2585.15.2096.1.1756.6.1426.12.926.18.347.0.117.1-rc57713bd320ed4fc3d08a227cd8e41242219a1698191f89c1d83e80417629791fcef6af8140d7d01c89544559e59438a4b609b2fdfa0763d8360572824a3bbda6502a9398b816fa2e71c9a3f955f58013dcf20038657d6d4974349556a34e08fe0490bebbc
Affected packages
  • Linux / Linux
    < 7713bd320ed4fc3d08a227cd8e41242219a16981 (from f1d662a7d5e5322e583aad6b3cfec03d8f27b435) · < 9544559e59438a4b609b2fdfa0763d8360572824 (from f1d662a7d5e5322e583aad6b3cfec03d8f27b435) · < cf20038657d6d4974349556a34e08fe0490bebbc (from f1d662a7d5e5322e583aad6b3cfec03d8f27b435) · < 2035acfb17221729b1b8ac335e941868a04ca079 (from f1d662a7d5e5322e583aad6b3cfec03d8f27b435) · < a3bbda6502a9398b816fa2e71c9a3f955f58013d (from f1d662a7d5e5322e583aad6b3cfec03d8f27b435) · < 91f89c1d83e80417629791fcef6af8140d7d01c8 (from f1d662a7d5e5322e583aad6b3cfec03d8f27b435)
  • Linux / Linux
    2.6.24
    Fixed in 0, 5.10.258, 5.15.209, 6.1.175, 6.6.142, 6.12.92, 6.18.34, 7.0.11, 7.1-rc5
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References