CVE-2026-31392
Received Received - Intake
SMB Session Reuse Vulnerability in Linux Kernel CIFS Client

Publication date: 2026-04-03

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix krb5 mount with username option Customer reported that some of their krb5 mounts were failing against a single server as the client was trying to mount the shares with wrong credentials. It turned out the client was reusing SMB session from first mount to try mounting the other shares, even though a different username= option had been specified to the other mounts. By using username mount option along with sec=krb5 to search for principals from keytab is supported by cifs.upcall(8) since cifs-utils-4.8. So fix this by matching username mount option in match_session() even with Kerberos. For example, the second mount below should fail with -ENOKEY as there is no 'foobar' principal in keytab (/etc/krb5.keytab). The client ends up reusing SMB session from first mount to perform the second one, which is wrong. ``` $ ktutil ktutil: add_entry -password -p testuser -k 1 -e aes256-cts Password for [email protected]: ktutil: write_kt /etc/krb5.keytab ktutil: quit $ klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- ---------------------------------------------------------------- 1 [email protected] (aes256-cts-hmac-sha1-96) $ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser $ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar $ mount -t cifs | grep -Po 'username=\K\w+' testuser testuser ```
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-27
Generated
2026-05-06
AI Q&A
2026-04-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31392
EUVD
EUVD-2026-18766
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
samba cifs-utils 4.8
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's SMB client when using Kerberos (krb5) mounts with the username option. The client incorrectly reuses an existing SMB session from a previous mount even when a different username is specified for a new mount. This causes the client to attempt mounting shares with wrong credentials.

The issue arises because the client does not properly match the username option when establishing a new session with Kerberos authentication, leading to incorrect reuse of sessions. The fix involves ensuring that the username mount option is matched correctly in the session matching function, preventing reuse of sessions with different usernames.


How can this vulnerability impact me? :

This vulnerability can cause mounts to fail or succeed incorrectly by using wrong credentials. Specifically, it may allow a client to reuse an SMB session authenticated with one username to access shares intended for a different username, potentially leading to authentication errors or unauthorized access attempts.

In practical terms, this means that when mounting multiple SMB shares with different usernames using Kerberos authentication, the client might not properly isolate sessions per username, causing access failures or security issues related to credential reuse.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if SMB mounts using the sec=krb5 option with different username= options are incorrectly reusing the same SMB session, leading to mount failures or incorrect credential usage.

One way to detect this is by mounting CIFS shares with different usernames and verifying if the mounts are using the correct credentials or if the session is being reused improperly.

Example commands to test this behavior include:

  • Use ktutil to add entries to the keytab and verify them with klist -ke.
  • Mount CIFS shares with different usernames using mount.cifs with options sec=krb5 and username=.
  • Check the mounted shares and their usernames with: mount -t cifs | grep -Po 'username=\K\w+'.

What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been fixed by ensuring that the username mount option is matched in the SMB session even when using Kerberos (sec=krb5).

To mitigate this vulnerability immediately, update your Linux kernel and cifs-utils package to versions that include this fix (cifs-utils-4.8 or later).

Ensure that your mounts using sec=krb5 with different username options do not reuse SMB sessions incorrectly by applying the patch or updated software.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart