PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31392 Linux CVE debrief

A session reuse flaw in the Linux kernel SMB client (CIFS) allows Kerberos-authenticated mounts to incorrectly reuse SMB sessions from prior mounts, even when a different username= option is specified. This can cause unauthorized access to shares using credentials from a previous mount, or cause mount failures when the wrong principal is used. The vulnerability exists because match_session() did not consider the username mount option when Kerberos (sec=krb5) was in use. Patches are available for multiple stable kernel branches.

Vendor
Linux
Product
Unknown
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-26
Advisory published
2026-04-03
Advisory updated
2026-05-26

Who should care

Linux system administrators using CIFS mounts with Kerberos authentication, particularly in multi-user or automated mounting environments where different credentials may be specified for different shares. Organizations with strict access controls on SMB shares where credential isolation between mounts is security-critical.

Technical summary

The Linux kernel's SMB client (fs/smb/client) contains a flaw in match_session() where the username mount option was not considered during session matching for Kerberos-authenticated mounts (sec=krb5). When multiple mounts are performed against the same server with different username= options, the client incorrectly reuses the existing SMB session from the first mount instead of establishing a new session with the specified credentials. This occurs because session matching logic only validated server address and port, not the username principal. The vulnerability affects kernel versions from 2.6.32.44 through 6.19.10 and 7.0-rc1 through rc4. Patches add username matching to match_session() for Kerberos sessions, ensuring distinct sessions are established for distinct principals.

Defensive priority

HIGH

Recommended defensive actions

  • Apply kernel patches from stable branches: 6.1.167+, 6.6.130+, 6.12.78+, 6.18.20+, 6.19.10+, or 7.0-rc5+
  • Verify kernel version matches or exceeds patched versions for your LTS branch
  • If immediate patching is not possible, avoid concurrent krb5 mounts with different username= options on the same client
  • Audit existing CIFS mount configurations for username= usage with sec=krb5
  • Review SMB session establishment logs for unexpected credential reuse

Evidence notes

CVE description confirms the vulnerability is in the Linux kernel SMB client, specifically in session matching logic. The fix modifies match_session() to include username in session matching for Kerberos mounts. CVSS 8.1 (HIGH) with vector AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L indicates local attack vector with high privileges required but significant impact. Not listed in CISA KEV.

Official resources

2026-04-03