CVE-2026-43377 Git CVE debrief

Who should care

Linux kernel and distro maintainers, SMB server operators using ksmbd, and anyone running kernels with KSMBD_DEBUG_AUTH enabled. Systems that centralize or widely expose logs should treat this as especially important.

Technical summary

When KSMBD_DEBUG_AUTH logging is enabled, generate_smb3signingkey() and generate_smb3encryptionkey() can write sensitive key bytes to logs. The CVE description says the leaked material includes the session, signing, encryption, and decryption keys, which can expose credentials and undermine SMB3 session protection. The remediation is to remove the logging of these secrets.

Defensive priority

High. This is a direct secret-disclosure flaw involving cryptographic key material, with network reach and potential impact on confidentiality and integrity of SMB sessions.

Recommended defensive actions

• Apply the kernel update or stable backport that includes the official fix referenced by the kernel.org links.
• Disable KSMBD_DEBUG_AUTH and other verbose authentication debugging in production environments.
• Restrict access to kernel and service logs; treat any logs produced while the debug option was enabled as sensitive.
• If exposure is suspected, rotate affected SMB credentials and keys and review logs for leaked key bytes.
• Verify that all ksmbd deployments, including backported stable kernels, are patched.

Evidence notes

The supplied CVE description states that KSMBD_DEBUG_AUTH logging caused generate_smb3signingkey() and generate_smb3encryptionkey() to log session, signing, encryption, and decryption key bytes, and that the fix removes the logs. The NVD record lists official kernel.org stable references for the remediation. Published 2026-05-08 and modified 2026-05-11. Supplied CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (8.1 HIGH).

Official resources