A flaw in the Linux ksmbd daemon caused sensitive SMB3 signing and encryption keys to be written to kernel logs when the KSMBD_DEBUG_AUTH flag was set. Because the keys were logged in clear text, any party that could read the logs – such as a local user with sufficient privileges or an attacker who gained read access to the log files – could capture the cryptographic material used to sign or encrypt SMB traffic. With those keys, the attacker could forge SMB messages, impersonate a legitimate server or client, or decrypt traffic between peers, thereby compromising confidentiality and potentially enabling further attacks. The weaknesses include improper handling of sensitive information and improper logging of cryptographic material.

Any Linux kernel that includes ksmbd and has the KSMBD_DEBUG_AUTH logging option enabled is potentially affected. The reference patches in the supplied git URLs remove the logging of key bytes, so older kernel versions that have not yet applied these changes remain vulnerable. No explicit version range is listed, so the safest assumption is that all builds prior to the commits referenced should be treated as vulnerable.

The vulnerability requires that the attacker be able to read kernel logs that contain the sensitive bytes. This is typically a local privilege vulnerability, or a remote one only if the logs are exposed to a network or otherwise accessible. No remote execution or denial‑of‑service vector is disclosed. The EPSS score is not provided, and the vulnerability is not in the CISA KEV catalog, suggesting limited exploitation activity to date. The risk, however, remains high for environments using debug logging, as captured keys can be used to undermine SMB security.