{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31392", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.085Z", "datePublished": "2026-04-03T15:15:57.491Z", "dateUpdated": "2026-05-11T22:07:48.722Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:07:48.722Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix krb5 mount with username option\n\nCustomer reported that some of their krb5 mounts were failing against\na single server as the client was trying to mount the shares with\nwrong credentials. It turned out the client was reusing SMB session\nfrom first mount to try mounting the other shares, even though a\ndifferent username= option had been specified to the other mounts.\n\nBy using username mount option along with sec=krb5 to search for\nprincipals from keytab is supported by cifs.upcall(8) since\ncifs-utils-4.8. So fix this by matching username mount option in\nmatch_session() even with Kerberos.\n\nFor example, the second mount below should fail with -ENOKEY as there\nis no 'foobar' principal in keytab (/etc/krb5.keytab). The client\nends up reusing SMB session from first mount to perform the second\none, which is wrong.\n\n```\n$ ktutil\nktutil: add_entry -password -p testuser -k 1 -e aes256-cts\nPassword for testuser@ZELDA.TEST:\nktutil: write_kt /etc/krb5.keytab\nktutil: quit\n$ klist -ke\nKeytab name: FILE:/etc/krb5.keytab\nKVNO Principal\n ---- ----------------------------------------------------------------\n 1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96)\n$ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser\n$ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar\n$ mount -t cifs | grep -Po 'username=\\K\\w+'\ntestuser\ntestuser\n```"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/connect.c"], "versions": [{"version": "4ff67b720c02c36e54d55b88c2931879b7db1cd2", "lessThan": "fd4547830720647d4af02ee50f883c4b1cca06e4", "status": "affected", "versionType": "git"}, {"version": "4ff67b720c02c36e54d55b88c2931879b7db1cd2", "lessThan": "9229709ec8bf85ae7ca53aeee9aa14814cdc1bd2", "status": "affected", "versionType": "git"}, {"version": "4ff67b720c02c36e54d55b88c2931879b7db1cd2", "lessThan": "d33cbf0bf8979d779900da9be2505d68d9d8da25", "status": "affected", "versionType": "git"}, {"version": "4ff67b720c02c36e54d55b88c2931879b7db1cd2", "lessThan": "9ee803bfdba0cf739038dbdabdd4c02582c8f2b2", "status": "affected", "versionType": "git"}, {"version": "4ff67b720c02c36e54d55b88c2931879b7db1cd2", "lessThan": "6e9ff1eb7feedcf46ff2d0503759960ab58e7775", "status": "affected", "versionType": "git"}, {"version": "4ff67b720c02c36e54d55b88c2931879b7db1cd2", "lessThan": "12b4c5d98cd7ca46d5035a57bcd995df614c14e1", "status": "affected", "versionType": "git"}, {"version": "223c7f082d2836ac719b3b228bdcfab35e5e5330", "status": "affected", "versionType": "git"}, {"version": "88720224330a655ab6268e20109b65b11cfd7f6a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/connect.c"], "versions": [{"version": "2.6.36", "status": "affected"}, {"version": "0", "lessThan": "2.6.36", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32.44"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34.12"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/fd4547830720647d4af02ee50f883c4b1cca06e4"}, {"url": "https://git.kernel.org/stable/c/9229709ec8bf85ae7ca53aeee9aa14814cdc1bd2"}, {"url": "https://git.kernel.org/stable/c/d33cbf0bf8979d779900da9be2505d68d9d8da25"}, {"url": "https://git.kernel.org/stable/c/9ee803bfdba0cf739038dbdabdd4c02582c8f2b2"}, {"url": "https://git.kernel.org/stable/c/6e9ff1eb7feedcf46ff2d0503759960ab58e7775"}, {"url": "https://git.kernel.org/stable/c/12b4c5d98cd7ca46d5035a57bcd995df614c14e1"}], "title": "smb: client: fix krb5 mount with username option", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix krb5 mount with username option\n\nCustomer reported that some of their krb5 mounts were failing against\na single server as the client was trying to mount the shares with\nwrong credentials. It turned out the client was reusing SMB session\nfrom first mount to try mounting the other shares, even though a\ndifferent username= option had been specified to the other mounts.\n\nBy using username mount option along with sec=krb5 to search for\nprincipals from keytab is supported by cifs.upcall(8) since\ncifs-utils-4.8. So fix this by matching username mount option in\nmatch_session() even with Kerberos.\n\nFor example, the second mount below should fail with -ENOKEY as there\nis no 'foobar' principal in keytab (/etc/krb5.keytab). The client\nends up reusing SMB session from first mount to perform the second\none, which is wrong.\n\n```\n$ ktutil\nktutil: add_entry -password -p testuser -k 1 -e aes256-cts\nPassword for testuser@ZELDA.TEST:\nktutil: write_kt /etc/krb5.keytab\nktutil: quit\n$ klist -ke\nKeytab name: FILE:/etc/krb5.keytab\nKVNO Principal\n ---- ----------------------------------------------------------------\n 1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96)\n$ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser\n$ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar\n$ mount -t cifs | grep -Po 'username=\\K\\w+'\ntestuser\ntestuser\n```"}], "id": "CVE-2026-31392", "lastModified": "2026-04-27T14:16:35.347", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-03T16:16:37.300", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/12b4c5d98cd7ca46d5035a57bcd995df614c14e1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6e9ff1eb7feedcf46ff2d0503759960ab58e7775"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9229709ec8bf85ae7ca53aeee9aa14814cdc1bd2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9ee803bfdba0cf739038dbdabdd4c02582c8f2b2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d33cbf0bf8979d779900da9be2505d68d9d8da25"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fd4547830720647d4af02ee50f883c4b1cca06e4"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: smb: client: fix krb5 mount with username option", "id": "2454853", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454853"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-488", "details": ["A flaw was found in the Linux kernel's Server Message Block (SMB) client. A local attacker, by attempting to mount SMB shares using Kerberos (sec=krb5) with a specified username, could cause the client to incorrectly reuse an existing SMB session. This session reuse occurs even when a different username is provided for subsequent mounts, potentially leading to an authentication bypass where shares are accessed with unintended credentials."], "name": "CVE-2026-31392", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31392\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31392\nhttps://lore.kernel.org/linux-cve-announce/2026040324-CVE-2026-31392-7952@gregkh/T"], "statement": "This is an authentication bypass vulnerability where SMB shares may be accessed with incorrect credentials due to improper session matching. A local user performing multiple Kerberos-authenticated SMB mounts with different usernames may inadvertently access shares using credentials from a previous mount. This could lead to unauthorized access to network resources.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,fd4547830720647d4af02ee50f883c4b1cca06e4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9229709ec8bf85ae7ca53aeee9aa14814cdc1bd2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d33cbf0bf8979d779900da9be2505d68d9d8da25)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9ee803bfdba0cf739038dbdabdd4c02582c8f2b2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6e9ff1eb7feedcf46ff2d0503759960ab58e7775)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,12b4c5d98cd7ca46d5035a57bcd995df614c14e1)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.1.167,6.1.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.130,6.6.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.78,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.20,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.10,6.19.*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T08:50:52.732965+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to the latest stable release that includes the fix for SMB client Kerberos session handling.", "Verify that all mount.cifs commands explicitly specify the desired username= option and that the client does not automatically reuse sessions.", "If an immediate kernel upgrade is not feasible, restrict or disable Kerberos authentication for CIFS mounts or enforce explicit keytab verification for each mount operation.", "Continuously monitor mount logs for repeated failures with ENOKEY or for evidence of session reuse to detect potential misuse."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized access due to Kerberos session reuse in SMB client"}, "threat_synthesis": {"affected_systems": "All Linux kernel installations that have not incorporated the recent patch are affected. The issue exists in the generic Linux OS, specifically the SMB client component used for CIFS/SMB mounts. No particular upstream vendor or kernel release is singled out beyond the generic Linux kernel; any system running a kernel older than the patched commit is potentially vulnerable.", "description_and_impact": "The Linux kernel SMB client contains a flaw where match_session() incorrectly reuses an existing Kerberos\u2011authenticated SMB session even when a different username= option is specified. As a result, a mount that supplies a new Kerberos principal continues to authenticate with the original principal, allowing a user to access shares with an unintended identity. This bypasses authentication controls and can expose sensitive data, effectively granting unauthorized operations. The weakness is classified as CWE-488.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity, and the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The flaw does not provide remote code execution; exploitation requires an attacker to influence mount operations on a client machine or to compromise a SMB server that accepts the reused session. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active attacks at present. Nevertheless, administrators should treat this as a high risk that permits unauthorized access to shared resources and should patch promptly."}}}}, "created": "2026-04-03T21:15:35.040589+00:00", "updated": "2026-04-28T09:00:06.522579+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}