Description
In the Linux kernel, the following vulnerability has been resolved:

smb: client: Don't log plaintext credentials in cifs_set_cifscreds

When debug logging is enabled, cifs_set_cifscreds() logs the key
payload and exposes the plaintext username and password. Remove the
debug log to avoid exposing credentials.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Exposure of plaintext credentials through debug logs
Action: Patch or Disable
AI Analysis

Impact

The Linux kernel contains a flaw in the SMB client where credentials supplied to the CIFS filesystem are inadvertently written to debug output. When debug logging is turned on, cifs_set_cifscreds() logs the key payload exposing the plaintext username and password. This results in potential information disclosure of authentication credentials to anyone who can read the kernel logs.

Affected Systems

All Linux kernel releases that include CIFS/SMB support are potentially affected. No specific version range is provided, so any kernel version prior to the applied fix may be vulnerable until a patch is installed.

Risk and Exploitability

The CVSS base score of 5.5 indicates moderate severity, while the EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, suggesting limited exploitation likelihood. The attack vector is most likely local; an adversary with the ability to enable debug logging or read kernel logs could obtain credentials. The published fix removes the debug log entry, eliminating the disclosure path.

Generated by OpenCVE AI on March 26, 2026 at 14:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to the latest version that includes the fix for this SMB credential logging issue
  • If updating is not immediately possible, disable SMB debug logging to prevent credentials from being written to logs
  • Verify that debug logging remains disabled by inspecting log files and system settings

Generated by OpenCVE AI on March 26, 2026 at 14:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-256
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb: client: Don't log plaintext credentials in cifs_set_cifscreds When debug logging is enabled, cifs_set_cifscreds() logs the key payload and exposes the plaintext username and password. Remove the debug log to avoid exposing credentials.
Title smb: client: Don't log plaintext credentials in cifs_set_cifscreds
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:57:50.190Z

Reserved: 2026-01-13T15:37:45.993Z

Link: CVE-2026-23303

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:26.060

Modified: 2026-04-18T09:16:18.073

Link: CVE-2026-23303

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23303 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:50:03Z

Weaknesses