CVE-2026-23303

Vulnerability

CVE-2026-23303 is an information disclosure vulnerability in the Linux kernel's implementation of CIFS (Common Internet File System) credential handling. In the function cifs_set_cifscreds(), a debug log statement printed the raw key payload, which includes the plaintext username and password when debug logging is enabled [1][2][3][4]. The official description confirms that the debug log exposes plaintext credentials [1].

Exploitation

The vulnerability can only be triggered when the kernel's debug logging level is set to display debug messages from the CIFS client code. An attacker would not need authentication to the CIFS share itself, but they would require local access to the system's kernel log (e.g., via dmesg or other log viewing utilities) where the credentials are written. This is a local information leak that does not require network access or special privileges beyond the ability to read kernel ring buffer logs.

Impact

If debug logging is enabled, any local user or process that can read the kernel log can obtain the plaintext username and password used for CIFS/SMB authentication. This could lead to unauthorized access to remote SMB shares or systems, potentially escalating a local log read into a broader compromise of network resources.

Mitigation

The fix removes the debug log statement that prints the credential payload. The patch has been applied to the stable Linux kernel branches tracked by the provided commits [1][2][3][4]. Users should update their kernel to the latest stable release from their distribution or apply the specific commit (e.g., b746a357abfb) to their kernel source. No workaround is available beyond disabling debug logging or restricting access to kernel logs via permissions.