CVE-2026-46243: Linux Kernel CIFS cifs.spnego Key Spoofing Privilege Escalation
A vulnerability exists in the Linux kernel's CIFS client implementation where an unprivileged local user can craft specially-formed key descriptions that bypass the intended security controls. Specifically, userspace processes can create SPNEGO (Simple and Protected GSS-API Negotiation Mechanism) keys with forged authority-bearing fields—like process ID, user ID, and credential information—that the kernel's CIFS upcall mechanism incorrectly treats as legitimate kernel-originating inputs. This allows an attacker with local access to inject false authentication-related data into the CIFS authentication flow, potentially leading to privilege escalation or authentication bypass on systems using SMB/CIFS protocol for file sharing or other network services.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-20, CWE-825
- Affected products
- 12 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-07-06
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.
37 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the Linux kernel's CIFS client module, specifically in how it validates cifs.spnego key descriptions. The cifs.spnego key type is intended to be created internally by the kernel via the CIFS spnego_cred credential structure when performing SPNEGO authentication negotiations. However, the kernel does not properly restrict the origin of these keys; userspace can also create or manipulate them via request_key(2) or add_key(2) system calls. The cifs.upcall daemon treats certain fields in the key description—pid, uid, creduid, and upcall_target—as authoritative indicators of the key's origin and legitimacy. A local attacker can exploit this by crafting a malicious cifs.spnego key with spoofed values in these fields, bypassing the intended access controls. The fix restricts acceptance of cifs.spnego descriptions only when CIFS is using its private spnego_cred structure to request the key, ensuring userspace-supplied keys are rejected. This addresses improper input validation (CWE-20) and inappropriate use of security-relevant fields (CWE-825).
Business impact
On systems using Linux-based SMB/CIFS clients for network file sharing, authentication, or identity federation, this vulnerability enables local privilege escalation or authentication spoofing attacks. An attacker with local user privileges could forge CIFS authentication credentials without elevated permissions, potentially gaining unauthorized access to network shares, compromising data confidentiality and integrity, or moving laterally across network infrastructure. Organizations relying on Linux-based file servers, workstations, or containers that export CIFS services face elevated risk of insider threats and post-compromise lateral movement.
Affected systems
All versions of the Linux kernel vulnerable to this issue are affected. The vulnerability impacts systems running Linux kernel versions prior to the patch, specifically those with active CIFS client functionality. This includes servers, desktops, workstations, and containerized environments that mount or interact with SMB/CIFS shares. Embedded Linux systems, NAS appliances, and distribution-specific kernels derived from the mainline Linux kernel are also potentially affected until patched. Check your vendor's advisory for specific affected kernel versions and supported branches.
Exploitability
Exploitation requires local access with unprivileged user privileges; remote exploitation is not feasible. An attacker must be able to execute code on the target system and invoke request_key(2) or add_key(2) system calls to craft malicious cifs.spnego keys. The attack does not require special timing or race conditions, making it reliably exploitable once the attacker has local shell access. The attack surface is broad: any local user—including those with minimal privileges in container or sandbox environments—can attempt exploitation. No special kernel configuration is required.
Remediation
Apply the Linux kernel patch that restricts cifs.spnego key acceptance to only those originating from the kernel's private spnego_cred structure. Most major Linux distributions (Red Hat, Debian, Ubuntu, SUSE, etc.) will release kernel updates addressing this vulnerability. Verify against your distribution's security advisory for specific patch version numbers and availability timelines. For systems unable to update immediately, consider restricting local user access and disabling CIFS client functionality if not required.
Patch guidance
Monitor your Linux distribution's security channels (vendor advisories, mailing lists, or patch management tools) for kernel updates that include the cifs.spnego validation fix. Patch your systems as soon as updates become available through your vendor. Test patches in non-production environments first, as kernel updates may require system reboots. If your system runs a custom or vendor-specific kernel, contact your vendor for patch availability and timelines. Organizations managing many systems should use centralized patch management to prioritize kernel updates across their infrastructure.
Detection guidance
Monitor for suspicious use of the add_key(2) and request_key(2) system calls, particularly those attempting to create or manipulate cifs.spnego keys with abnormal pid, uid, creduid, or upcall_target values. Kernel audit logs (auditd) can be configured to flag key creation and manipulation events. Look for failed CIFS authentication attempts or unexpected authentication messages in system logs that correlate with anomalous key operations. Network monitoring for unusual SPNEGO authentication traffic may also provide indicators, though this is less reliable. Endpoint Detection and Response (EDR) solutions capable of syscall monitoring will be most effective at identifying exploitation attempts.
Why prioritize this
Assign this vulnerability HIGH priority due to the CVSS 3.1 score of 7.1, which reflects the combination of local access requirement, high impact on confidentiality and integrity, and lack of user interaction needed. While remote exploitation is not possible, the ease of exploitation for any local user and the potential for privilege escalation or authentication bypass make it a significant risk for systems with untrusted or semi-trusted local users. Prioritize patching systems that host CIFS clients or multi-user environments. Systems in isolated network segments or single-user deployments can tolerate slightly longer patch windows but should still be addressed promptly.
Risk score, explained
The CVSS 3.1 score of 7.1 (HIGH) reflects: (1) Local Attack Vector (AV:L)—the attacker must have local access, reducing but not eliminating risk; (2) Low Attack Complexity (AC:L)—no special conditions or timing required; (3) Low Privileges Required (PR:L)—unprivileged user can exploit; (4) No User Interaction (UI:N)—fully automated exploitation; (5) Unchanged Scope (S:U)—impact limited to the CIFS subsystem; (6) High Confidentiality and Integrity Impact (C:H/I:H)—attacker can read and modify CIFS-related data; (7) No Availability Impact (A:N)—no denial-of-service component. The score appropriately captures the severity for multi-user systems or containers, though single-user systems face reduced practical risk.
Frequently asked questions
Does this vulnerability allow remote code execution?
No. This vulnerability requires local access to the target system and cannot be exploited remotely. An attacker must be able to execute code on the system and use the add_key(2) or request_key(2) system calls to craft malicious keys.
Is this vulnerability present in all Linux systems?
Only systems running vulnerable Linux kernel versions with active CIFS client functionality are affected. Single-user systems or systems that do not use CIFS networking are at lower risk. Check your vendor's advisory for specific kernel version ranges and your distribution's patch status.
Can this be exploited from inside a container or virtualized environment?
Yes. A compromised application or container with local user privileges can attempt exploitation. Container isolation may limit the impact scope, but the vulnerability remains exploitable within the container's context.
What is the difference between cifs.spnego keys and normal CIFS authentication?
cifs.spnego keys are a kernel subsystem for managing SPNEGO credentials used in CIFS authentication. Normally, these are created only by the kernel internally. This vulnerability allows userspace to create fake keys that the kernel mistakenly trusts, bypassing security controls that should only allow kernel-generated keys.
This vulnerability analysis is based on the official CVE record and Linux kernel advisory data available as of the publication date. Specific patch version numbers, affected distributions, and timelines should be verified against official vendor advisories from Linux distribution maintainers. SEC.co provides this information for educational and defensive purposes; any use of this information for offensive purposes is prohibited. Organizations should conduct their own risk assessment based on their specific infrastructure, CIFS usage patterns, and security posture before prioritizing remediation efforts. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)
- CVE-2026-10917HIGHChrome Media Sandbox Escape Vulnerability (High CVSS 8.3)
- CVE-2026-10922HIGHChrome DevTools Same-Origin Policy Bypass (CVSS 8.8)
- CVE-2026-10969HIGHChrome Extension Privilege Escalation Vulnerability – Patch Guidance
- CVE-2026-10970HIGHChrome Sandbox Escape via InterestGroups Input Validation Flaw
- CVE-2026-46125HIGHLinux Kernel WiFi Driver Memory Safety Vulnerability