Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: Compare MACs in constant time

To prevent timing attacks, MAC comparisons need to be constant-time.
Replace the memcmp() with the correct function, crypto_memneq().
Published: 2026-03-25
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Timing Attack
Action: Immediate Patch
AI Analysis

Impact

The ksmbd component in the Linux kernel performed MAC comparisons using memcmp, which depends on data values and therefore leaks timing information. An attacker able to measure the timing of these comparisons can reconstruct the correct MAC bit by bit. Once the MAC is obtained, the attacker can authenticate to the SMB service without legitimate credentials, potentially gaining unauthorized access and exposing data.

Affected Systems

All Linux kernel builds that contain ksmbd before the patch replacing memcmp with crypto_memneq. This includes every Linux distribution kernel that has not yet applied the fix; specific version numbers are not provided, so any kernel containing the vulnerable code is considered affected.

Risk and Exploitability

The CVSS score of 7.4 indicates moderate‑to‑high severity. An EPSS rating of less than 1% suggests low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. However, the attack requires network access to the SMB service and accurate timing measurements, which may limit practicality but still poses a risk for systems exposed to untrusted networks.

Generated by OpenCVE AI on April 2, 2026 at 16:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the crypto_memneq fix for ksmbd.
  • Verify that the new kernel is running and that the ksmbd module has been updated.
  • Reboot the system if necessary to ensure the patched kernel is active.
  • If an immediate upgrade is not possible, disable the ksmbd service until the update is applied.

Generated by OpenCVE AI on April 2, 2026 at 16:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:5.15:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-592

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-208
References

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-592

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: Compare MACs in constant time To prevent timing attacks, MAC comparisons need to be constant-time. Replace the memcmp() with the correct function, crypto_memneq().
Title ksmbd: Compare MACs in constant time
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:05:51.808Z

Reserved: 2026-01-13T15:37:46.002Z

Link: CVE-2026-23364

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:35.547

Modified: 2026-04-24T15:46:07.933

Link: CVE-2026-23364

cve-icon Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23364 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:23:02Z

Weaknesses