Description
Input validation bypass in SMB volume mount handling in CloudFoundry Foundation diego-release allows low-privileged CF space developer to inject arbitrary kernel CIFS mount options via bypassing the mount-option allowlist, enabling privilege escalation and security control bypass on multi-tenant Diego cells.

Affected versions:
smb-volume-release: All versions prior to v3.60.0
CF Deployment: All versions prior to v56.0.0
Published: 2026-06-01
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Input validation bypass in the SMB volume mount handling of CloudFoundry Diego releases allows a low‑privileged space developer to inject arbitrary kernel CIFS mount options by bypassing the mount‑option allowlist. The injected options give the attacker elevated privileges and enable bypass of security controls on multi‑tenant Diego cells. This weakness is classified as CWE‑88. The result is that a tenant can compromise other tenants or the host kernel, leading to loss of confidentiality, integrity and availability.

Affected Systems

The flaw exists in all releases of SMB volume release earlier than version 3.60.0 and in all CF Deployment releases earlier than version 56.0.0 from the CloudFoundry Foundation. Systems using these older versions are vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity for this vulnerability. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a tenant who has developer role permissions and can mount SMB volumes within their space; no additional user interaction or remote code execution is required. Exploiting the flaw requires only configuration of mount options and will succeed on all Diego cells that run an affected version of the SMB volume release.

Generated by OpenCVE AI on June 1, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade smb-volume-release to v3.60.0 or newer and CF Deployment to v56.0.0 or newer
  • Deploy the updated releases to all Diego cells and rebuild any existing SMB volumes
  • Restrict tenant control of CIFS mount options by disabling the ability to specify custom options or by whitelisting allowed options
  • Configure log monitoring to detect and alert on unapproved CIFS mount attempts

Generated by OpenCVE AI on June 1, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Input validation bypass in SMB volume mount handling in CloudFoundry Foundation diego-release allows low-privileged CF space developer to inject arbitrary kernel CIFS mount options via bypassing the mount-option allowlist, enabling privilege escalation and security control bypass on multi-tenant Diego cells. Affected versions: smb-volume-release: All versions prior to v3.60.0 CF Deployment: All versions prior to v56.0.0
Title Tenant-controlled comma smuggles arbitrary CIFS mount options
Weaknesses CWE-88
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-01T19:40:16.203Z

Reserved: 2026-04-16T02:19:16.427Z

Link: CVE-2026-41013

cve-icon Vulnrichment

Updated: 2026-06-01T19:40:04.454Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-01T19:16:39.887

Modified: 2026-06-02T14:01:54.893

Link: CVE-2026-41013

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T21:30:26Z

Weaknesses