{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23303", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:26:58.166Z", "dateUpdated": "2026-05-11T22:04:16.573Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:04:16.573Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Don't log plaintext credentials in cifs_set_cifscreds\n\nWhen debug logging is enabled, cifs_set_cifscreds() logs the key\npayload and exposes the plaintext username and password. Remove the\ndebug log to avoid exposing credentials."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/connect.c"], "versions": [{"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97", "lessThan": "e5a3b11e07b335006371915b2da47b6056c9e3bc", "status": "affected", "versionType": "git"}, {"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97", "lessThan": "54c570de9a35860dfa85fe668f23ddfda8cc7e26", "status": "affected", "versionType": "git"}, {"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97", "lessThan": "ff0ece8ed04180c52167c003362284b23cf54e8d", "status": "affected", "versionType": "git"}, {"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97", "lessThan": "3990f352bb0adc8688d0949a9c13e3110570eb61", "status": "affected", "versionType": "git"}, {"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97", "lessThan": "b746a357abfb8fdb0a171d51ec5091e786d34be1", "status": "affected", "versionType": "git"}, {"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97", "lessThan": "2ef0fc3bf49db2b9df36d5f44508c9e384bfa2a1", "status": "affected", "versionType": "git"}, {"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97", "lessThan": "3e182701db612ddd794ccd5ed822e6cc1db2b972", "status": "affected", "versionType": "git"}, {"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97", "lessThan": "2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/connect.c"], "versions": [{"version": "3.3", "status": "affected"}, {"version": "0", "lessThan": "3.3", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e5a3b11e07b335006371915b2da47b6056c9e3bc"}, {"url": "https://git.kernel.org/stable/c/54c570de9a35860dfa85fe668f23ddfda8cc7e26"}, {"url": "https://git.kernel.org/stable/c/ff0ece8ed04180c52167c003362284b23cf54e8d"}, {"url": "https://git.kernel.org/stable/c/3990f352bb0adc8688d0949a9c13e3110570eb61"}, {"url": "https://git.kernel.org/stable/c/b746a357abfb8fdb0a171d51ec5091e786d34be1"}, {"url": "https://git.kernel.org/stable/c/2ef0fc3bf49db2b9df36d5f44508c9e384bfa2a1"}, {"url": "https://git.kernel.org/stable/c/3e182701db612ddd794ccd5ed822e6cc1db2b972"}, {"url": "https://git.kernel.org/stable/c/2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d"}], "title": "smb: client: Don't log plaintext credentials in cifs_set_cifscreds", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Don't log plaintext credentials in cifs_set_cifscreds\n\nWhen debug logging is enabled, cifs_set_cifscreds() logs the key\npayload and exposes the plaintext username and password. Remove the\ndebug log to avoid exposing credentials."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nsmb: cliente: No registrar credenciales en texto plano en cifs_set_cifscreds\n\nCuando el registro de depuraci\u00f3n est\u00e1 habilitado, cifs_set_cifscreds() registra la carga \u00fatil de la clave y expone el nombre de usuario y la contrase\u00f1a en texto plano. Eliminar el registro de depuraci\u00f3n para evitar exponer credenciales."}], "id": "CVE-2026-23303", "lastModified": "2026-04-18T09:16:18.073", "metrics": {}, "published": "2026-03-25T11:16:26.060", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2ef0fc3bf49db2b9df36d5f44508c9e384bfa2a1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3990f352bb0adc8688d0949a9c13e3110570eb61"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3e182701db612ddd794ccd5ed822e6cc1db2b972"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/54c570de9a35860dfa85fe668f23ddfda8cc7e26"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b746a357abfb8fdb0a171d51ec5091e786d34be1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e5a3b11e07b335006371915b2da47b6056c9e3bc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ff0ece8ed04180c52167c003362284b23cf54e8d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: smb: client: Don't log plaintext credentials in cifs_set_cifscreds", "id": "2451217", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451217"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-256", "details": ["A flaw was found in the Linux kernel's Server Message Block (SMB) client. When debug logging is enabled, the cifs_set_cifscreds() function logs plaintext credentials, including usernames and passwords. This information disclosure vulnerability allows a local attacker with access to the debug logs to retrieve sensitive authentication details. The primary consequence is the exposure of user credentials, which could lead to unauthorized access to SMB resources."], "name": "CVE-2026-23303", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23303\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23303\nhttps://lore.kernel.org/linux-cve-announce/2026032527-CVE-2026-23303-8e38@gregkh/T"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8a8798a5ff90977d6459ce1d657cf8fe13a51e97,ff0ece8ed04180c52167c003362284b23cf54e8d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8a8798a5ff90977d6459ce1d657cf8fe13a51e97,3990f352bb0adc8688d0949a9c13e3110570eb61)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8a8798a5ff90977d6459ce1d657cf8fe13a51e97,3e182701db612ddd794ccd5ed822e6cc1db2b972)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8a8798a5ff90977d6459ce1d657cf8fe13a51e97,b746a357abfb8fdb0a171d51ec5091e786d34be1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8a8798a5ff90977d6459ce1d657cf8fe13a51e97,2ef0fc3bf49db2b9df36d5f44508c9e384bfa2a1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8a8798a5ff90977d6459ce1d657cf8fe13a51e97,2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.3"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.3)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T14:04:00.788268+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to the latest version that includes the fix for this SMB credential logging issue", "If updating is not immediately possible, disable SMB debug logging to prevent credentials from being written to logs", "Verify that debug logging remains disabled by inspecting log files and system settings"], "summary": {"action": "Patch or Disable", "impact": "Exposure of plaintext credentials through debug logs"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include CIFS/SMB support are potentially affected. No specific version range is provided, so any kernel version prior to the applied fix may be vulnerable until a patch is installed.", "description_and_impact": "The Linux kernel contains a flaw in the SMB client where credentials supplied to the CIFS filesystem are inadvertently written to debug output. When debug logging is turned on, cifs_set_cifscreds() logs the key payload exposing the plaintext username and password. This results in potential information disclosure of authentication credentials to anyone who can read the kernel logs.", "risk_and_exploitability": "The CVSS base score of 5.5 indicates moderate severity, while the EPSS score is below 1\u202f% and the vulnerability is not listed in the CISA KEV catalog, suggesting limited exploitation likelihood. The attack vector is most likely local; an adversary with the ability to enable debug logging or read kernel logs could obtain credentials. The published fix removes the debug log entry, eliminating the disclosure path."}}}}, "created": "2026-03-25T21:15:27.281729+00:00", "updated": "2026-03-27T09:50:03.523530+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}