CVE-2026-46243
Analyzed Analyzed - Analysis Complete
Linux Kernel SMB Client SPNEGO Key Validation Bypass

Publication date: 2026-06-01

Last updated on: 2026-06-09

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-09
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-46243
EUVD
EUVD-2026-33668
Affected Vendors & Products
Showing 18 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.24
linux linux_kernel 2.6.24
linux linux_kernel 2.6.24
linux linux_kernel 2.6.24
linux linux_kernel 2.6.24
linux linux_kernel 2.6.24
linux linux_kernel 2.6.24
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.92 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.34 (exc)
linux linux_kernel From 2.6.24.1 (inc) to 5.10.258 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.142 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's SMB client implementation related to handling cifs.spnego key descriptions.

The cifs.spnego key descriptions include authority-bearing fields such as pid, uid, creduid, and upcall_target, which the kernel component cifs.upcall assumes are only provided by the kernel itself.

However, userspace programs can create keys of this type using system calls like request_key(2) or add_key(2), allowing them to supply these authority-bearing fields without going through the CIFS kernel origin.

The vulnerability was resolved by ensuring that only cifs.spnego descriptions created using CIFS's private spnego_cred are accepted when CIFS requests the key.

Compliance Impact

The vulnerability CVE-2026-46243 allows local privilege escalation by enabling userspace to supply unauthorized key descriptions that the kernel treats as originating from the kernel itself. This can lead to unauthorized access and potential compromise of system integrity.

Such unauthorized privilege escalation and potential data exposure can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and system integrity.

Failure to patch this vulnerability could result in violations of these regulations due to unauthorized access or modification of protected data.

Detection Guidance

Detection of CVE-2026-46243 involves monitoring the behavior of the cifs.upcall process and checking for unauthorized or suspicious loading of NSS modules or keys with cifs.spnego descriptions created from userspace.

One approach is to look for unusual keys created via request_key(2) or add_key(2) system calls that contain cifs.spnego descriptions with authority-bearing fields such as pid, uid, creduid, and upcall_target.

Commands that may help include:

  • Use `keyctl list @u` to list keys in the user keyring and inspect for suspicious cifs.spnego keys.
  • Monitor the cifs.upcall process with `ps aux | grep cifs.upcall` to check if it is running and investigate its loaded libraries.
  • Check loaded NSS modules in standard directories (e.g., /lib/x86_64-linux-gnu/) for unexpected or recently modified files.
  • Use system auditing tools like `auditd` to track calls to request_key(2) and add_key(2) system calls.
Mitigation Strategies

Immediate mitigation steps include applying the official Linux kernel patch that restricts acceptance of cifs.spnego key descriptions only when CIFS is using its private spnego_cred to request the key.

Until the patch is applied, restrict access to the request_key(2) and add_key(2) system calls to trusted users only, to prevent unprivileged users from creating malicious cifs.spnego keys.

Additionally, monitor and restrict modifications to NSS module directories to prevent loading of malicious NSS libraries.

Consider using system-level security tools such as SELinux or AppArmor to confine the cifs.upcall process and limit its ability to load unauthorized modules.

Impact Analysis

This vulnerability could allow userspace processes to supply forged authority-bearing fields to the kernel's SMB client, potentially leading to unauthorized access or privilege escalation within the CIFS subsystem.

By accepting user-supplied cifs.spnego key descriptions without proper validation, the kernel might trust incorrect identity or credential information, which could impact system security.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46243. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart