CVE-2026-46243 Linux CVE debrief

Who should care

Linux system administrators, kernel maintainers, and security teams operating environments with CIFS/SMB mounts. Organizations relying on multi-user Linux systems with SMB file shares face elevated risk from local attackers seeking privilege escalation.

Technical summary

The Linux kernel's CIFS/SMB client uses cifs.spnego keys for SPNEGO authentication handling. These key descriptions contain security-relevant fields including pid, uid, creduid, and upcall_target. The cifs.upcall helper processes these fields as trusted kernel-originating inputs. However, because userspace could independently create keys of type cifs.spnego through standard key management syscalls (request_key(2), add_key(2)), an attacker with local access could supply crafted values for these authority-bearing fields without legitimate CIFS origin. The vulnerability is resolved by restricting acceptance of cifs.spnego key descriptions to only those requested while the CIFS subsystem is actively using its private spnego_cred structure, ensuring kernel-controlled provenance for these sensitive fields.

Defensive priority

HIGH

Recommended defensive actions

• Apply kernel stable patches from the Linux kernel stable tree when available for your distribution
• Restrict unprivileged access to keyctl operations where possible via security policies
• Monitor for anomalous key creation events related to cifs.spnego type keys
• Update to a patched kernel version containing the fix for CVE-2026-46243

Evidence notes

Official kernel stable commits resolve the issue. CVSS 7.8 (HIGH) per NVD with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Official resources