CVE-2026-43377 Overview
CVE-2026-43377 affects the Linux kernel's ksmbd in-kernel SMB3 server. The flaw exists in the SMB3 signing and encryption key generation routines, specifically generate_smb3signingkey() and generate_smb3encryptionkey(). When the KSMBD_DEBUG_AUTH logging option is enabled, these functions write the session, signing, encryption, and decryption key bytes to the kernel log. An attacker with access to kernel logs can extract cryptographic material used to sign and encrypt SMB3 traffic. The fix removes the offending log statements to prevent credential disclosure.
Critical Impact
Exposure of SMB3 session, signing, and encryption keys allows decryption of SMB traffic and forgery of signed SMB messages, undermining confidentiality and integrity of file-sharing sessions.
Affected Products
- Linux kernel ksmbd SMB3 server module
- Linux kernel 7.0 release candidates 7.0:rc1, 7.0:rc2, 7.0:rc3
- Multiple stable Linux kernel branches receiving the ksmbd backport
Discovery Timeline
- 2026-05-08 - CVE-2026-43377 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43377
Vulnerability Analysis
The ksmbd module implements an in-kernel SMB3 server for Linux. During session setup, the server derives per-session signing and encryption keys using the SMB3 key derivation function. The functions generate_smb3signingkey() and generate_smb3encryptionkey() produce three sensitive byte arrays per session: the signing key, the encryption key (server-to-client), and the decryption key (client-to-server).
When Linux is built with KSMBD_DEBUG_AUTH enabled, both functions emit the raw key bytes via the kernel logging subsystem. Anyone with read access to dmesg, /var/log/kern.log, or downstream log aggregators can recover the keys. This is classified as an information exposure issue [CWE-noinfo at NVD].
An attacker holding these keys can decrypt captured SMB3 traffic for the affected session and forge signed SMB3 messages, bypassing the integrity guarantees that SMB signing is intended to provide.
Root Cause
The root cause is unsafe debug instrumentation. Developers added ksmbd_debug(AUTH, ...) calls that print cryptographic key material in hexadecimal. Logging secret material at any verbosity level violates secure development practice because kernel logs are frequently collected, forwarded, and retained beyond the host.
Attack Vector
Exploitation requires that the kernel be compiled and running with KSMBD_DEBUG_AUTH enabled and that ksmbd is actively serving SMB3 clients. A low-privileged local user with access to the kernel ring buffer, or any process or operator able to read forwarded kernel logs, can harvest keys passively. With the keys, an adversary positioned on the network can decrypt and tamper with SMB3 sessions even though the underlying protocol negotiated signing and encryption.
No verified public exploit code is associated with this CVE. The vulnerability mechanism is described in the upstream commits referenced under Kernel Git Commit 3fe2d9e and Kernel Git Commit fec5c70.
// No verified exploitation code is published.
// The fix removes ksmbd_debug(AUTH, ...) statements that printed
// session.signing, encryption, and decryption key bytes from
// generate_smb3signingkey() and generate_smb3encryptionkey().
Detection Methods for CVE-2026-43377
Indicators of Compromise
- Kernel log lines from ksmbd containing hexadecimal byte sequences emitted near session setup, particularly entries referencing signing key, ServerIn key, or ServerOut key.
- Presence of CONFIG_SMB_SERVER together with KSMBD_DEBUG_AUTH enabled in /boot/config-$(uname -r) on production hosts.
- Unauthorized reads of /dev/kmsg, /var/log/kern.log, or journalctl -k output by non-administrative accounts.
Detection Strategies
- Audit kernel build configurations and flag any system shipping with KSMBD_DEBUG_AUTH set to y.
- Search centralized log stores for ksmbd entries containing long hex strings indicative of leaked key material.
- Correlate ksmbd session establishment events with subsequent abnormal SMB3 traffic patterns or signature failures.
Monitoring Recommendations
- Forward ksmbd kernel events to a SIEM and alert on entries that match key-derivation log patterns.
- Monitor file integrity and access controls on kernel log files and rotated archives, restricting reads to root.
- Track ksmbd module load events and SMB3 session metrics on Linux file servers exposed to untrusted networks.
How to Mitigate CVE-2026-43377
Immediate Actions Required
- Apply the upstream kernel patches that remove key logging from generate_smb3signingkey() and generate_smb3encryptionkey().
- Rebuild any custom kernels with KSMBD_DEBUG_AUTH disabled until the patched sources are in place.
- Rotate SMB3 sessions by restarting ksmbd after patching so that previously leaked keys are no longer valid.
- Purge kernel logs that may contain leaked key bytes and restrict access to remaining archives.
Patch Information
Fixes are available across stable branches. Reference commits: Kernel Git Commit 3fe2d9e, Kernel Git Commit 407cc37c, Kernel Git Commit 4084ed7, Kernel Git Commit 4413361, Kernel Git Commit c6b01b9, and Kernel Git Commit fec5c70.
Workarounds
- Disable KSMBD_DEBUG_AUTH and rebuild the kernel, or switch to a vendor kernel that ships without this debug option.
- Unload the ksmbd module on hosts that do not require an in-kernel SMB3 server: modprobe -r ksmbd.
- Restrict access to the kernel ring buffer by setting kernel.dmesg_restrict=1 and limiting log file permissions to root.
# Configuration example
# Restrict kernel log access and disable ksmbd where it is not required
sudo sysctl -w kernel.dmesg_restrict=1
echo 'kernel.dmesg_restrict=1' | sudo tee /etc/sysctl.d/90-dmesg-restrict.conf
sudo chmod 600 /var/log/kern.log /var/log/syslog 2>/dev/null
sudo systemctl stop ksmbd.service 2>/dev/null
sudo modprobe -r ksmbd 2>/dev/null
# Verify KSMBD_DEBUG_AUTH is not set in the running kernel build
grep -E 'KSMBD_DEBUG_AUTH|SMB_SERVER' /boot/config-$(uname -r)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
