CVE-2026-41013

Vulnerability

An input validation bypass in the SMB volume mount handling within CloudFoundry Foundation's diego-release allows a low-privileged Cloud Foundry space developer to inject arbitrary kernel CIFS mount options. This bypass occurs by circumventing the mount-option allowlist, which is intended to prevent dangerous root filesystem mount operations on shared Diego infrastructure. The vulnerability affects all versions of smb-volume-release prior to v3.60.0 and all versions of CF Deployment prior to v56.0.0 [1].

Exploitation

An attacker, with the privileges of a Cloud Foundry space developer, can craft malicious mount options that bypass the allowlist. This allows them to control all mount.cifs options, enabling them to weaken mount security by injecting options like setuids, noperm, or nounix, manipulate credentials using cruid= or credentials=/path/on/host, override security protocols with the sec= option, or apply other forbidden configurations [1].

Impact

Successful exploitation allows an attacker to achieve privilege escalation, gain unauthorized file system access, and compromise the multi-tenant security model on Diego cells. This can lead to a significant security control bypass on multi-tenant Diego cells [1].

Mitigation

The Cloud Foundry project recommends upgrading smb-volume-release to v3.60.0 or greater, or upgrading CF Deployment to v56.0.0 or greater, which includes the patched smb-volume-release [1]. Immediate workarounds include disabling SMB volume mounting for space developers, restricting SMB volume operations to platform operators, and auditing existing SMB mounts created by space developers [1].