{ "threat_severity" : "Moderate", "public_date" : "2026-04-03T00:00:00Z", "bugzilla" : { "description" : "kernel: smb: client: fix krb5 mount with username option", "id" : "2454853", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2454853" }, "cvss3" : { "cvss3_base_score" : "5.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "status" : "draft" }, "cwe" : "CWE-488", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nsmb: client: fix krb5 mount with username option\nCustomer reported that some of their krb5 mounts were failing against\na single server as the client was trying to mount the shares with\nwrong credentials. It turned out the client was reusing SMB session\nfrom first mount to try mounting the other shares, even though a\ndifferent username= option had been specified to the other mounts.\nBy using username mount option along with sec=krb5 to search for\nprincipals from keytab is supported by cifs.upcall(8) since\ncifs-utils-4.8. So fix this by matching username mount option in\nmatch_session() even with Kerberos.\nFor example, the second mount below should fail with -ENOKEY as there\nis no 'foobar' principal in keytab (/etc/krb5.keytab). The client\nends up reusing SMB session from first mount to perform the second\none, which is wrong.\n```\n$ ktutil\nktutil: add_entry -password -p testuser -k 1 -e aes256-cts\nPassword for testuser@ZELDA.TEST:\nktutil: write_kt /etc/krb5.keytab\nktutil: quit\n$ klist -ke\nKeytab name: FILE:/etc/krb5.keytab\nKVNO Principal\n---- ----------------------------------------------------------------\n1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96)\n$ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser\n$ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar\n$ mount -t cifs | grep -Po 'username=\\K\\w+'\ntestuser\ntestuser\n```", "A flaw was found in the Linux kernel's Server Message Block (SMB) client. A local attacker, by attempting to mount SMB shares using Kerberos (sec=krb5) with a specified username, could cause the client to incorrectly reuse an existing SMB session. This session reuse occurs even when a different username is provided for subsequent mounts, potentially leading to an authentication bypass where shares are accessed with unintended credentials." ], "statement" : "This is an authentication bypass vulnerability where SMB shares may be accessed with incorrect credentials due to improper session matching. A local user performing multiple Kerberos-authenticated SMB mounts with different usernames may inadvertently access shares using credentials from a previous mount. This could lead to unauthorized access to network resources.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31392\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31392\nhttps://lore.kernel.org/linux-cve-announce/2026040324-CVE-2026-31392-7952@gregkh/T" ], "name" : "CVE-2026-31392", "csaw" : false }