CVE-2026-46243 Overview
CVE-2026-46243 is an improper input validation flaw [CWE-20] in the Linux kernel's SMB client subsystem. The cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. Userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. A local attacker can abuse this trust boundary to influence credential resolution performed by the SMB client.
Critical Impact
A local, low-privileged user can forge cifs.spnego key descriptions to impersonate kernel-originated upcall requests, leading to high impact on confidentiality, integrity, and availability.
Affected Products
- Linux kernel SMB client (fs/smb/client)
- Distributions shipping affected mainline and stable kernel branches prior to the fix commits
- Systems using cifs.upcall with Kerberos/SPNEGO authentication for CIFS/SMB mounts
Discovery Timeline
- 2026-06-01 - CVE-2026-46243 published to NVD
- 2026-06-01 - Disclosure posted to the Openwall oss-security mailing list
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-46243
Vulnerability Analysis
The Linux kernel CIFS client uses the kernel key retention service to broker SPNEGO authentication material between kernelspace and the cifs.upcall helper. When CIFS needs Kerberos credentials, it constructs a cifs.spnego key description containing trusted metadata fields such as pid, uid, creduid, and upcall_target. The cifs.upcall userspace helper consumes these fields under the assumption that the kernel produced them.
The core defect is a missing origin check. The kernel key infrastructure exposes request_key(2) and add_key(2) to userspace, which can create keys of the cifs.spnego type directly. A local unprivileged user can populate the authority-bearing fields with attacker-chosen values, bypassing the implicit kernel-origin trust assumed by cifs.upcall.
Root Cause
The SMB client did not restrict acceptance of cifs.spnego key descriptions to keys requested through its private spnego_cred. Without that constraint, the kernel honored descriptions that may have originated from arbitrary userspace callers, producing a confused-deputy condition in the SPNEGO upcall path.
Attack Vector
Exploitation requires local access and low privileges, with no user interaction. An attacker invokes add_key(2) or request_key(2) to publish a cifs.spnego key whose description embeds chosen uid, creduid, pid, or upcall_target values. When cifs.upcall processes the key, it acts on attacker-controlled authority data, which can influence credential selection and subsequent SMB session state. The patch series, including commits 0aece668, 2035acfb, 3da1fdf4, 7713bd32, 91f89c1d, 9544559e, a3bbda65, and cf200386, enforces that only descriptions tied to the kernel's private spnego_cred are accepted. See the Openwall OSS Security Post and the GitHub CIFSwitch Repository for additional context.
Detection Methods for CVE-2026-46243
Indicators of Compromise
- Unexpected add_key or request_key syscalls referencing the cifs.spnego key type from non-root, non-CIFS processes
- Anomalous cifs.upcall invocations correlated with key creation events from unprivileged users
- Unusual UID, CREDUID, or PID values in audit records tied to CIFS session establishment
Detection Strategies
- Enable Linux audit rules on the add_key, request_key, and keyctl syscalls and alert on cifs.spnego descriptions originating outside kernel-driven CIFS mounts
- Monitor /proc/keys for cifs.spnego entries owned by unexpected user sessions
- Correlate cifs.upcall helper executions with the originating process tree to identify userspace-driven key creation
Monitoring Recommendations
- Forward kernel audit logs and CIFS client telemetry to a centralized analytics platform for retention and correlation
- Baseline the normal frequency and source of SPNEGO key activity on file-server clients and alert on deviations
- Track kernel package versions across the fleet to confirm presence of the fix commits referenced in stable trees
How to Mitigate CVE-2026-46243
Immediate Actions Required
- Upgrade to a Linux kernel build that includes the upstream patch series rejecting userspace-originated cifs.spnego descriptions
- Inventory hosts that mount CIFS/SMB shares with Kerberos/SPNEGO authentication and prioritize patching for multi-user systems
- Restrict local shell access on shared infrastructure to reduce exposure to local-vector attacks
Patch Information
The fix is implemented across stable kernel commits 0aece6685fc80a8de492688ca2315fb86ec379c7, 2035acfb17221729b1b8ac335e941868a04ca079, 3da1fdf4efbc490041eb4f836bf596201203f8f2, 7713bd320ed4fc3d08a227cd8e41242219a16981, 91f89c1d83e80417629791fcef6af8140d7d01c8, 9544559e59438a4b609b2fdfa0763d8360572824, a3bbda6502a9398b816fa2e71c9a3f955f58013d, and cf20038657d6d4974349556a34e08fe0490bebbc. The change accepts cifs.spnego descriptions only while CIFS is using its private spnego_cred to request the key. Refer to your distribution's security advisories for backported package versions.
Workarounds
- Where patching is delayed, avoid mounting CIFS shares that rely on SPNEGO/Kerberos on multi-user hosts
- Constrain access to the kernel keyring on shared systems and review SELinux or AppArmor policies governing the keyrings class
- Disable or remove the cifs kernel module on systems that do not require SMB client functionality
# Configuration example
# Verify whether the cifs module is loaded and unload if unused
lsmod | grep -E '^cifs'
sudo modprobe -r cifs
# Audit userspace use of add_key/request_key for the cifs.spnego type
sudo auditctl -a always,exit -F arch=b64 -S add_key -S request_key -k cifs_spnego
sudo ausearch -k cifs_spnego | grep cifs.spnego
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
