Description
In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix krb5 mount with username option

Customer reported that some of their krb5 mounts were failing against
a single server as the client was trying to mount the shares with
wrong credentials. It turned out the client was reusing SMB session
from first mount to try mounting the other shares, even though a
different username= option had been specified to the other mounts.

By using username mount option along with sec=krb5 to search for
principals from keytab is supported by cifs.upcall(8) since
cifs-utils-4.8. So fix this by matching username mount option in
match_session() even with Kerberos.

For example, the second mount below should fail with -ENOKEY as there
is no 'foobar' principal in keytab (/etc/krb5.keytab). The client
ends up reusing SMB session from first mount to perform the second
one, which is wrong.

```
$ ktutil
ktutil: add_entry -password -p testuser -k 1 -e aes256-cts
Password for testuser@ZELDA.TEST:
ktutil: write_kt /etc/krb5.keytab
ktutil: quit
$ klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- ----------------------------------------------------------------
1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96)
$ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser
$ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar
$ mount -t cifs | grep -Po 'username=\K\w+'
testuser
testuser
```
Published: 2026-04-03
Score: 5.8 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized Share Access via Kerberos Session Reuse
Action: Immediate Patch
AI Analysis

Impact

A flaw in the Linux kernel’s SMB client caused the kernel to reuse an established Kerberos authenticated session when mounting a new share that specified a different username. Because the authentication logic ignored the username mount option, the client attempted to authenticate the second share using credentials from the first mount, either failing or granting access to a share that should be protected by another Kerberos principal. The result is a potential authentication bypass that lets a user or attacker access shares with the wrong Kerberos credentials.

Affected Systems

Linux systems that use the CIFS/SMB client with Kerberos authentication (sec=krb5) and a keytab file are impacted. The bug exists in the cifs client implementation of the Linux kernel; any kernel version that has not incorporated the upstream patch is vulnerable.

Risk and Exploitability

The vulnerability does not require advanced privileges; an attacker only needs the ability to perform SMB mounts with different usernames. Once a session is established with one Kerberos principal, subsequent mounts using a different username will reuse the same session, potentially exposing data. No EPSS score or KEV listing is available, but the bug was addressed in a kernel commit and is considered mitigated by applying the updated kernel. The risk is moderate to high for environments that mount multiple SMB shares with Kerberos, especially when shares are intended to be isolated by principal.

Generated by OpenCVE AI on April 3, 2026 at 18:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update your Linux kernel to a version that includes the upstream cifs client patch that fixes session reuse.
  • Avoid mounting multiple SMB shares with different Kerberos usernames from the same kernel session; use separate mount points or restart the session for each unique username.
  • Verify that your keytab files contain only the Kerberos principals required for each share.

Generated by OpenCVE AI on April 3, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-488
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-287

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb: client: fix krb5 mount with username option Customer reported that some of their krb5 mounts were failing against a single server as the client was trying to mount the shares with wrong credentials. It turned out the client was reusing SMB session from first mount to try mounting the other shares, even though a different username= option had been specified to the other mounts. By using username mount option along with sec=krb5 to search for principals from keytab is supported by cifs.upcall(8) since cifs-utils-4.8. So fix this by matching username mount option in match_session() even with Kerberos. For example, the second mount below should fail with -ENOKEY as there is no 'foobar' principal in keytab (/etc/krb5.keytab). The client ends up reusing SMB session from first mount to perform the second one, which is wrong. ``` $ ktutil ktutil: add_entry -password -p testuser -k 1 -e aes256-cts Password for testuser@ZELDA.TEST: ktutil: write_kt /etc/krb5.keytab ktutil: quit $ klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- ---------------------------------------------------------------- 1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96) $ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser $ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar $ mount -t cifs | grep -Po 'username=\K\w+' testuser testuser ```
Title smb: client: fix krb5 mount with username option
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T15:15:57.491Z

Reserved: 2026-03-09T15:48:24.085Z

Link: CVE-2026-31392

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-03T16:16:37.300

Modified: 2026-04-03T16:16:37.300

Link: CVE-2026-31392

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31392 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:15:35Z

Weaknesses