High severity7.8NVD Advisory· Published Jun 1, 2026· Updated Jun 1, 2026
CVE-2026-46243
CVE-2026-46243
Description
The Linux kernel SMB client incorrectly trusts userspace-provided cifs.spnego key descriptions, potentially allowing unauthorized manipulation of kernel-level authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Linux kernel SMB client incorrectly trusts userspace-provided cifs.spnego key descriptions, potentially allowing unauthorized manipulation of kernel-level authentication.
Vulnerability
The Linux kernel SMB client contains a flaw in how it processes cifs.spnego key descriptions. These descriptions contain sensitive authority-bearing fields such as pid, uid, creduid, and upcall_target, which the cifs.upcall mechanism expects to originate from the kernel. However, the implementation allows userspace to create these keys via request_key(2) or add_key(2), enabling the injection of arbitrary values into these fields [1], [2], [3], [4].
Exploitation
An attacker with the ability to execute code in userspace can exploit this by manually creating a cifs.spnego key using standard system calls. By crafting a malicious key description, the attacker can bypass the intended kernel-originating constraints, effectively spoofing the parameters that the kernel relies upon for secure upcall processing.
Impact
Successful exploitation allows an attacker to influence the kernel's authentication logic for SMB connections. This could lead to unauthorized access or privilege escalation within the context of the SMB client, as the kernel incorrectly treats user-supplied data as trusted, kernel-originating input.
Mitigation
The vulnerability is addressed by restricting the acceptance of cifs.spnego descriptions to instances where the CIFS client is actively using its private spnego_cred to request the key. Users should update to the latest stable Linux kernel versions where this validation logic has been enforced [1], [2], [3], [4].
References
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
163da1fdf4efbcsmb: client: reject userspace cifs.spnego descriptions
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAsim Viladi Oglu ManizadaMay 16, 2026Fixed in 7.1-rc5via kernel-cna
1 file changed · +16 −1
fs/smb/client/cifs_spnego.c+16 −1 modifieddiff --git a/fs/smb/client/cifs_spnego.c b/fs/smb/client/cifs_spnego.c index 3a41bbada04c7..44c4072756804 100644 --- a/fs/smb/client/cifs_spnego.c +++ b/fs/smb/client/cifs_spnego.c @@ -8,6 +8,7 @@ */ #include <linux/list.h> +#include <linux/cred.h> #include <linux/slab.h> #include <linux/string.h> #include <keys/user-type.h> @@ -40,12 +41,27 @@ cifs_spnego_key_destroy(struct key *key) kfree(key->payload.data[0]); } +static int +cifs_spnego_key_vet_description(const char *description) +{ + /* + * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall. + * They are only valid when produced by CIFS while using the private + * spnego_cred installed below. Do not let userspace create this type + * of key through request_key(2)/add_key(2), since the helper treats + * pid/uid/creduid/upcall_target as kernel-originating fields. + */ + if (current_cred() != spnego_cred) + return -EPERM; + return 0; +} /* * keytype for CIFS spnego keys */ struct key_type cifs_spnego_key_type = { .name = "cifs.spnego", + .vet_description = cifs_spnego_key_vet_description, .instantiate = cifs_spnego_key_instantiate, .destroy = cifs_spnego_key_destroy, .describe = user_describe, -- cgit 1.3-korg
7713bd320ed4smb: client: reject userspace cifs.spnego descriptions
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAsim Viladi Oglu ManizadaMay 16, 2026Fixed in 5.10.258via kernel-cna
1 file changed · +16 −1
fs/cifs/cifs_spnego.c+16 −1 modifieddiff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c index 4f9d08ac9dde5..5b7614451033b 100644 --- a/fs/cifs/cifs_spnego.c +++ b/fs/cifs/cifs_spnego.c @@ -20,6 +20,7 @@ */ #include <linux/list.h> +#include <linux/cred.h> #include <linux/slab.h> #include <linux/string.h> #include <keys/user-type.h> @@ -58,12 +59,27 @@ cifs_spnego_key_destroy(struct key *key) kfree(key->payload.data[0]); } +static int +cifs_spnego_key_vet_description(const char *description) +{ + /* + * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall. + * They are only valid when produced by CIFS while using the private + * spnego_cred installed below. Do not let userspace create this type + * of key through request_key(2)/add_key(2), since the helper treats + * pid/uid/creduid/upcall_target as kernel-originating fields. + */ + if (current_cred() != spnego_cred) + return -EPERM; + return 0; +} /* * keytype for CIFS spnego keys */ struct key_type cifs_spnego_key_type = { .name = "cifs.spnego", + .vet_description = cifs_spnego_key_vet_description, .instantiate = cifs_spnego_key_instantiate, .destroy = cifs_spnego_key_destroy, .describe = user_describe, -- cgit 1.3-korg
9544559e5943smb: client: reject userspace cifs.spnego descriptions
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAsim Viladi Oglu ManizadaMay 16, 2026Fixed in 5.15.209via kernel-cna
1 file changed · +16 −1
fs/cifs/cifs_spnego.c+16 −1 modifieddiff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c index 66b4413b94f7f..acd990ebbfe36 100644 --- a/fs/cifs/cifs_spnego.c +++ b/fs/cifs/cifs_spnego.c @@ -8,6 +8,7 @@ */ #include <linux/list.h> +#include <linux/cred.h> #include <linux/slab.h> #include <linux/string.h> #include <keys/user-type.h> @@ -46,12 +47,27 @@ cifs_spnego_key_destroy(struct key *key) kfree(key->payload.data[0]); } +static int +cifs_spnego_key_vet_description(const char *description) +{ + /* + * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall. + * They are only valid when produced by CIFS while using the private + * spnego_cred installed below. Do not let userspace create this type + * of key through request_key(2)/add_key(2), since the helper treats + * pid/uid/creduid/upcall_target as kernel-originating fields. + */ + if (current_cred() != spnego_cred) + return -EPERM; + return 0; +} /* * keytype for CIFS spnego keys */ struct key_type cifs_spnego_key_type = { .name = "cifs.spnego", + .vet_description = cifs_spnego_key_vet_description, .instantiate = cifs_spnego_key_instantiate, .destroy = cifs_spnego_key_destroy, .describe = user_describe, -- cgit 1.3-korg
2035acfb1722smb: client: reject userspace cifs.spnego descriptions
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAsim Viladi Oglu ManizadaMay 16, 2026Fixed in 6.6.142via kernel-cna
1 file changed · +16 −1
fs/smb/client/cifs_spnego.c+16 −1 modifieddiff --git a/fs/smb/client/cifs_spnego.c b/fs/smb/client/cifs_spnego.c index 2ad067886ec3f..10a261bc81c99 100644 --- a/fs/smb/client/cifs_spnego.c +++ b/fs/smb/client/cifs_spnego.c @@ -8,6 +8,7 @@ */ #include <linux/list.h> +#include <linux/cred.h> #include <linux/slab.h> #include <linux/string.h> #include <keys/user-type.h> @@ -46,12 +47,27 @@ cifs_spnego_key_destroy(struct key *key) kfree(key->payload.data[0]); } +static int +cifs_spnego_key_vet_description(const char *description) +{ + /* + * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall. + * They are only valid when produced by CIFS while using the private + * spnego_cred installed below. Do not let userspace create this type + * of key through request_key(2)/add_key(2), since the helper treats + * pid/uid/creduid/upcall_target as kernel-originating fields. + */ + if (current_cred() != spnego_cred) + return -EPERM; + return 0; +} /* * keytype for CIFS spnego keys */ struct key_type cifs_spnego_key_type = { .name = "cifs.spnego", + .vet_description = cifs_spnego_key_vet_description, .instantiate = cifs_spnego_key_instantiate, .destroy = cifs_spnego_key_destroy, .describe = user_describe, -- cgit 1.3-korg
91f89c1d83e8smb: client: reject userspace cifs.spnego descriptions
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAsim Viladi Oglu ManizadaMay 16, 2026Fixed in 6.18.34via kernel-cna
1 file changed · +16 −1
fs/smb/client/cifs_spnego.c+16 −1 modifieddiff --git a/fs/smb/client/cifs_spnego.c b/fs/smb/client/cifs_spnego.c index 9891f55bac1e2..60b4147d0eea0 100644 --- a/fs/smb/client/cifs_spnego.c +++ b/fs/smb/client/cifs_spnego.c @@ -8,6 +8,7 @@ */ #include <linux/list.h> +#include <linux/cred.h> #include <linux/slab.h> #include <linux/string.h> #include <keys/user-type.h> @@ -40,12 +41,27 @@ cifs_spnego_key_destroy(struct key *key) kfree(key->payload.data[0]); } +static int +cifs_spnego_key_vet_description(const char *description) +{ + /* + * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall. + * They are only valid when produced by CIFS while using the private + * spnego_cred installed below. Do not let userspace create this type + * of key through request_key(2)/add_key(2), since the helper treats + * pid/uid/creduid/upcall_target as kernel-originating fields. + */ + if (current_cred() != spnego_cred) + return -EPERM; + return 0; +} /* * keytype for CIFS spnego keys */ struct key_type cifs_spnego_key_type = { .name = "cifs.spnego", + .vet_description = cifs_spnego_key_vet_description, .instantiate = cifs_spnego_key_instantiate, .destroy = cifs_spnego_key_destroy, .describe = user_describe, -- cgit 1.3-korg
0aece6685fc8smb: client: reject userspace cifs.spnego descriptions
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAsim Viladi Oglu ManizadaMay 16, 2026Fixed in 7.0.11via kernel-cna
1 file changed · +16 −1
fs/smb/client/cifs_spnego.c+16 −1 modifieddiff --git a/fs/smb/client/cifs_spnego.c b/fs/smb/client/cifs_spnego.c index 3a41bbada04c7..44c4072756804 100644 --- a/fs/smb/client/cifs_spnego.c +++ b/fs/smb/client/cifs_spnego.c @@ -8,6 +8,7 @@ */ #include <linux/list.h> +#include <linux/cred.h> #include <linux/slab.h> #include <linux/string.h> #include <keys/user-type.h> @@ -40,12 +41,27 @@ cifs_spnego_key_destroy(struct key *key) kfree(key->payload.data[0]); } +static int +cifs_spnego_key_vet_description(const char *description) +{ + /* + * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall. + * They are only valid when produced by CIFS while using the private + * spnego_cred installed below. Do not let userspace create this type + * of key through request_key(2)/add_key(2), since the helper treats + * pid/uid/creduid/upcall_target as kernel-originating fields. + */ + if (current_cred() != spnego_cred) + return -EPERM; + return 0; +} /* * keytype for CIFS spnego keys */ struct key_type cifs_spnego_key_type = { .name = "cifs.spnego", + .vet_description = cifs_spnego_key_vet_description, .instantiate = cifs_spnego_key_instantiate, .destroy = cifs_spnego_key_destroy, .describe = user_describe, -- cgit 1.3-korg
cf20038657d6smb: client: reject userspace cifs.spnego descriptions
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAsim Viladi Oglu ManizadaMay 16, 2026Fixed in 6.1.175via kernel-cna
1 file changed · +16 −1
fs/smb/client/cifs_spnego.c+16 −1 modifieddiff --git a/fs/smb/client/cifs_spnego.c b/fs/smb/client/cifs_spnego.c index 8b58f494235ff..67cd4ac5e5e83 100644 --- a/fs/smb/client/cifs_spnego.c +++ b/fs/smb/client/cifs_spnego.c @@ -8,6 +8,7 @@ */ #include <linux/list.h> +#include <linux/cred.h> #include <linux/slab.h> #include <linux/string.h> #include <keys/user-type.h> @@ -46,12 +47,27 @@ cifs_spnego_key_destroy(struct key *key) kfree(key->payload.data[0]); } +static int +cifs_spnego_key_vet_description(const char *description) +{ + /* + * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall. + * They are only valid when produced by CIFS while using the private + * spnego_cred installed below. Do not let userspace create this type + * of key through request_key(2)/add_key(2), since the helper treats + * pid/uid/creduid/upcall_target as kernel-originating fields. + */ + if (current_cred() != spnego_cred) + return -EPERM; + return 0; +} /* * keytype for CIFS spnego keys */ struct key_type cifs_spnego_key_type = { .name = "cifs.spnego", + .vet_description = cifs_spnego_key_vet_description, .instantiate = cifs_spnego_key_instantiate, .destroy = cifs_spnego_key_destroy, .describe = user_describe, -- cgit 1.3-korg
a3bbda6502a9smb: client: reject userspace cifs.spnego descriptions
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAsim Viladi Oglu ManizadaMay 16, 2026Fixed in 6.12.92via kernel-cna
1 file changed · +16 −1
fs/smb/client/cifs_spnego.c+16 −1 modifieddiff --git a/fs/smb/client/cifs_spnego.c b/fs/smb/client/cifs_spnego.c index bc1c1e9b288ad..507985939950d 100644 --- a/fs/smb/client/cifs_spnego.c +++ b/fs/smb/client/cifs_spnego.c @@ -8,6 +8,7 @@ */ #include <linux/list.h> +#include <linux/cred.h> #include <linux/slab.h> #include <linux/string.h> #include <keys/user-type.h> @@ -46,12 +47,27 @@ cifs_spnego_key_destroy(struct key *key) kfree(key->payload.data[0]); } +static int +cifs_spnego_key_vet_description(const char *description) +{ + /* + * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall. + * They are only valid when produced by CIFS while using the private + * spnego_cred installed below. Do not let userspace create this type + * of key through request_key(2)/add_key(2), since the helper treats + * pid/uid/creduid/upcall_target as kernel-originating fields. + */ + if (current_cred() != spnego_cred) + return -EPERM; + return 0; +} /* * keytype for CIFS spnego keys */ struct key_type cifs_spnego_key_type = { .name = "cifs.spnego", + .vet_description = cifs_spnego_key_vet_description, .instantiate = cifs_spnego_key_instantiate, .destroy = cifs_spnego_key_destroy, .describe = user_describe, -- cgit 1.3-korg
cf20038657d6smb: client: reject userspace cifs.spnego descriptions
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAsim Viladi Oglu ManizadaMay 16, 2026via nvd-ref
1 file changed · +16 −1
fs/smb/client/cifs_spnego.c+16 −1 modifieddiff --git a/fs/smb/client/cifs_spnego.c b/fs/smb/client/cifs_spnego.c index 8b58f494235ff..67cd4ac5e5e83 100644 --- a/fs/smb/client/cifs_spnego.c +++ b/fs/smb/client/cifs_spnego.c @@ -8,6 +8,7 @@ */ #include <linux/list.h> +#include <linux/cred.h> #include <linux/slab.h> #include <linux/string.h> #include <keys/user-type.h> @@ -46,12 +47,27 @@ cifs_spnego_key_destroy(struct key *key) kfree(key->payload.data[0]); } +static int +cifs_spnego_key_vet_description(const char *description) +{ + /* + * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall. + * They are only valid when produced by CIFS while using the private + * spnego_cred installed below. Do not let userspace create this type + * of key through request_key(2)/add_key(2), since the helper treats + * pid/uid/creduid/upcall_target as kernel-originating fields. + */ + if (current_cred() != spnego_cred) + return -EPERM; + return 0; +} /* * keytype for CIFS spnego keys */ struct key_type cifs_spnego_key_type = { .name = "cifs.spnego", + .vet_description = cifs_spnego_key_vet_description, .instantiate = cifs_spnego_key_instantiate, .destroy = cifs_spnego_key_destroy, .describe = user_describe, -- cgit 1.3-korg
0aece6685fc8smb: client: reject userspace cifs.spnego descriptions
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAsim Viladi Oglu ManizadaMay 16, 2026via nvd-ref
1 file changed · +16 −1
fs/smb/client/cifs_spnego.c+16 −1 modifieddiff --git a/fs/smb/client/cifs_spnego.c b/fs/smb/client/cifs_spnego.c index 3a41bbada04c7..44c4072756804 100644 --- a/fs/smb/client/cifs_spnego.c +++ b/fs/smb/client/cifs_spnego.c @@ -8,6 +8,7 @@ */ #include <linux/list.h> +#include <linux/cred.h> #include <linux/slab.h> #include <linux/string.h> #include <keys/user-type.h> @@ -40,12 +41,27 @@ cifs_spnego_key_destroy(struct key *key) kfree(key->payload.data[0]); } +static int +cifs_spnego_key_vet_description(const char *description) +{ + /* + * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall. + * They are only valid when produced by CIFS while using the private + * spnego_cred installed below. Do not let userspace create this type + * of key through request_key(2)/add_key(2), since the helper treats + * pid/uid/creduid/upcall_target as kernel-originating fields. + */ + if (current_cred() != spnego_cred) + return -EPERM; + return 0; +} /* * keytype for CIFS spnego keys */ struct key_type cifs_spnego_key_type = { .name = "cifs.spnego", + .vet_description = cifs_spnego_key_vet_description, .instantiate = cifs_spnego_key_instantiate, .destroy = cifs_spnego_key_destroy, .describe = user_describe, -- cgit 1.3-korg
91f89c1d83e8smb: client: reject userspace cifs.spnego descriptions
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAsim Viladi Oglu ManizadaMay 16, 2026via nvd-ref
1 file changed · +16 −1
fs/smb/client/cifs_spnego.c+16 −1 modifieddiff --git a/fs/smb/client/cifs_spnego.c b/fs/smb/client/cifs_spnego.c index 9891f55bac1e2..60b4147d0eea0 100644 --- a/fs/smb/client/cifs_spnego.c +++ b/fs/smb/client/cifs_spnego.c @@ -8,6 +8,7 @@ */ #include <linux/list.h> +#include <linux/cred.h> #include <linux/slab.h> #include <linux/string.h> #include <keys/user-type.h> @@ -40,12 +41,27 @@ cifs_spnego_key_destroy(struct key *key) kfree(key->payload.data[0]); } +static int +cifs_spnego_key_vet_description(const char *description) +{ + /* + * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall. + * They are only valid when produced by CIFS while using the private + * spnego_cred installed below. Do not let userspace create this type + * of key through request_key(2)/add_key(2), since the helper treats + * pid/uid/creduid/upcall_target as kernel-originating fields. + */ + if (current_cred() != spnego_cred) + return -EPERM; + return 0; +} /* * keytype for CIFS spnego keys */ struct key_type cifs_spnego_key_type = { .name = "cifs.spnego", + .vet_description = cifs_spnego_key_vet_description, .instantiate = cifs_spnego_key_instantiate, .destroy = cifs_spnego_key_destroy, .describe = user_describe, -- cgit 1.3-korg
3da1fdf4efbcsmb: client: reject userspace cifs.spnego descriptions
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAsim Viladi Oglu ManizadaMay 16, 2026via nvd-ref
1 file changed · +16 −1
fs/smb/client/cifs_spnego.c+16 −1 modifieddiff --git a/fs/smb/client/cifs_spnego.c b/fs/smb/client/cifs_spnego.c index 3a41bbada04c7..44c4072756804 100644 --- a/fs/smb/client/cifs_spnego.c +++ b/fs/smb/client/cifs_spnego.c @@ -8,6 +8,7 @@ */ #include <linux/list.h> +#include <linux/cred.h> #include <linux/slab.h> #include <linux/string.h> #include <keys/user-type.h> @@ -40,12 +41,27 @@ cifs_spnego_key_destroy(struct key *key) kfree(key->payload.data[0]); } +static int +cifs_spnego_key_vet_description(const char *description) +{ + /* + * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall. + * They are only valid when produced by CIFS while using the private + * spnego_cred installed below. Do not let userspace create this type + * of key through request_key(2)/add_key(2), since the helper treats + * pid/uid/creduid/upcall_target as kernel-originating fields. + */ + if (current_cred() != spnego_cred) + return -EPERM; + return 0; +} /* * keytype for CIFS spnego keys */ struct key_type cifs_spnego_key_type = { .name = "cifs.spnego", + .vet_description = cifs_spnego_key_vet_description, .instantiate = cifs_spnego_key_instantiate, .destroy = cifs_spnego_key_destroy, .describe = user_describe, -- cgit 1.3-korg
7713bd320ed4smb: client: reject userspace cifs.spnego descriptions
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAsim Viladi Oglu ManizadaMay 16, 2026via nvd-ref
1 file changed · +16 −1
fs/cifs/cifs_spnego.c+16 −1 modifieddiff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c index 4f9d08ac9dde5..5b7614451033b 100644 --- a/fs/cifs/cifs_spnego.c +++ b/fs/cifs/cifs_spnego.c @@ -20,6 +20,7 @@ */ #include <linux/list.h> +#include <linux/cred.h> #include <linux/slab.h> #include <linux/string.h> #include <keys/user-type.h> @@ -58,12 +59,27 @@ cifs_spnego_key_destroy(struct key *key) kfree(key->payload.data[0]); } +static int +cifs_spnego_key_vet_description(const char *description) +{ + /* + * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall. + * They are only valid when produced by CIFS while using the private + * spnego_cred installed below. Do not let userspace create this type + * of key through request_key(2)/add_key(2), since the helper treats + * pid/uid/creduid/upcall_target as kernel-originating fields. + */ + if (current_cred() != spnego_cred) + return -EPERM; + return 0; +} /* * keytype for CIFS spnego keys */ struct key_type cifs_spnego_key_type = { .name = "cifs.spnego", + .vet_description = cifs_spnego_key_vet_description, .instantiate = cifs_spnego_key_instantiate, .destroy = cifs_spnego_key_destroy, .describe = user_describe, -- cgit 1.3-korg
9544559e5943smb: client: reject userspace cifs.spnego descriptions
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAsim Viladi Oglu ManizadaMay 16, 2026via nvd-ref
1 file changed · +16 −1
fs/cifs/cifs_spnego.c+16 −1 modifieddiff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c index 66b4413b94f7f..acd990ebbfe36 100644 --- a/fs/cifs/cifs_spnego.c +++ b/fs/cifs/cifs_spnego.c @@ -8,6 +8,7 @@ */ #include <linux/list.h> +#include <linux/cred.h> #include <linux/slab.h> #include <linux/string.h> #include <keys/user-type.h> @@ -46,12 +47,27 @@ cifs_spnego_key_destroy(struct key *key) kfree(key->payload.data[0]); } +static int +cifs_spnego_key_vet_description(const char *description) +{ + /* + * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall. + * They are only valid when produced by CIFS while using the private + * spnego_cred installed below. Do not let userspace create this type + * of key through request_key(2)/add_key(2), since the helper treats + * pid/uid/creduid/upcall_target as kernel-originating fields. + */ + if (current_cred() != spnego_cred) + return -EPERM; + return 0; +} /* * keytype for CIFS spnego keys */ struct key_type cifs_spnego_key_type = { .name = "cifs.spnego", + .vet_description = cifs_spnego_key_vet_description, .instantiate = cifs_spnego_key_instantiate, .destroy = cifs_spnego_key_destroy, .describe = user_describe, -- cgit 1.3-korg
a3bbda6502a9smb: client: reject userspace cifs.spnego descriptions
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAsim Viladi Oglu ManizadaMay 16, 2026via nvd-ref
1 file changed · +16 −1
fs/smb/client/cifs_spnego.c+16 −1 modifieddiff --git a/fs/smb/client/cifs_spnego.c b/fs/smb/client/cifs_spnego.c index bc1c1e9b288ad..507985939950d 100644 --- a/fs/smb/client/cifs_spnego.c +++ b/fs/smb/client/cifs_spnego.c @@ -8,6 +8,7 @@ */ #include <linux/list.h> +#include <linux/cred.h> #include <linux/slab.h> #include <linux/string.h> #include <keys/user-type.h> @@ -46,12 +47,27 @@ cifs_spnego_key_destroy(struct key *key) kfree(key->payload.data[0]); } +static int +cifs_spnego_key_vet_description(const char *description) +{ + /* + * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall. + * They are only valid when produced by CIFS while using the private + * spnego_cred installed below. Do not let userspace create this type + * of key through request_key(2)/add_key(2), since the helper treats + * pid/uid/creduid/upcall_target as kernel-originating fields. + */ + if (current_cred() != spnego_cred) + return -EPERM; + return 0; +} /* * keytype for CIFS spnego keys */ struct key_type cifs_spnego_key_type = { .name = "cifs.spnego", + .vet_description = cifs_spnego_key_vet_description, .instantiate = cifs_spnego_key_instantiate, .destroy = cifs_spnego_key_destroy, .describe = user_describe, -- cgit 1.3-korg
2035acfb1722smb: client: reject userspace cifs.spnego descriptions
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAsim Viladi Oglu ManizadaMay 16, 2026via nvd-ref
1 file changed · +16 −1
fs/smb/client/cifs_spnego.c+16 −1 modifieddiff --git a/fs/smb/client/cifs_spnego.c b/fs/smb/client/cifs_spnego.c index 2ad067886ec3f..10a261bc81c99 100644 --- a/fs/smb/client/cifs_spnego.c +++ b/fs/smb/client/cifs_spnego.c @@ -8,6 +8,7 @@ */ #include <linux/list.h> +#include <linux/cred.h> #include <linux/slab.h> #include <linux/string.h> #include <keys/user-type.h> @@ -46,12 +47,27 @@ cifs_spnego_key_destroy(struct key *key) kfree(key->payload.data[0]); } +static int +cifs_spnego_key_vet_description(const char *description) +{ + /* + * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall. + * They are only valid when produced by CIFS while using the private + * spnego_cred installed below. Do not let userspace create this type + * of key through request_key(2)/add_key(2), since the helper treats + * pid/uid/creduid/upcall_target as kernel-originating fields. + */ + if (current_cred() != spnego_cred) + return -EPERM; + return 0; +} /* * keytype for CIFS spnego keys */ struct key_type cifs_spnego_key_type = { .name = "cifs.spnego", + .vet_description = cifs_spnego_key_vet_description, .instantiate = cifs_spnego_key_instantiate, .destroy = cifs_spnego_key_destroy, .describe = user_describe, -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"The kernel fails to validate the origin of cifs.spnego keys, allowing userspace to supply arbitrary authority-bearing fields."
Attack vector
An attacker can use system calls like request_key(2) or add_key(2) to create keys of type cifs.spnego. Because the kernel previously did not verify the source of these keys, it would treat user-supplied fields such as pid, uid, creduid, and upcall_target as trusted, kernel-originating inputs. This allows for the injection of malicious or unauthorized authority-bearing data into the cifs.upcall process [patch_id=4328650].
Affected code
The vulnerability exists within the key type definition for cifs.spnego, specifically in the files fs/smb/client/cifs_spnego.c or fs/cifs/cifs_spnego.c depending on the kernel version. The fix modifies the cifs_spnego_key_type structure to include the .vet_description field and adds the corresponding cifs_spnego_key_vet_description function [patch_id=4328650].
What the fix does
The patch introduces a new validation function, cifs_spnego_key_vet_description, which is assigned to the cifs_spnego_key_type structure. This function checks the current process credentials against a private spnego_cred to ensure that only the kernel-originated CIFS process can create these keys. By enforcing this check, the kernel rejects any attempt by userspace to manually instantiate or define cifs.spnego keys, thereby preventing the injection of unauthorized authority-bearing fields [patch_id=4328650].
Preconditions
- inputThe attacker must have the ability to invoke system calls such as request_key(2) or add_key(2).
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/0aece6685fc80a8de492688ca2315fb86ec379c7nvd
- git.kernel.org/stable/c/2035acfb17221729b1b8ac335e941868a04ca079nvd
- git.kernel.org/stable/c/3da1fdf4efbc490041eb4f836bf596201203f8f2nvd
- git.kernel.org/stable/c/7713bd320ed4fc3d08a227cd8e41242219a16981nvd
- git.kernel.org/stable/c/91f89c1d83e80417629791fcef6af8140d7d01c8nvd
- git.kernel.org/stable/c/9544559e59438a4b609b2fdfa0763d8360572824nvd
- git.kernel.org/stable/c/a3bbda6502a9398b816fa2e71c9a3f955f58013dnvd
- git.kernel.org/stable/c/cf20038657d6d4974349556a34e08fe0490bebbcnvd
News mentions
0No linked articles in our index yet.