A flaw in the Linux ksmbd daemon caused sensitive SMB3 signing and encryption keys to be written to kernel logs when the KSMBD_DEBUG_AUTH flag was set. Because the keys were logged in clear text, any party that could read the logs—such as a local user with sufficient privileges or an attacker who gained read access to the log files—could capture the cryptographic material used to sign or encrypt SMB traffic. With those keys, an attacker could forge SMB messages, impersonate a legitimate server or client, or decrypt traffic between peers, thereby compromising confidentiality and potentially enabling further attacks. The weakness involves improper handling of sensitive information and improper logging of cryptographic material.

Any Linux kernel that includes ksmbd and has the KSMBD_DEBUG_AUTH logging option enabled is potentially affected. The reference patches in the supplied git URLs remove the logging of key bytes, so older kernel versions that have not yet applied these changes remain vulnerable. No explicit version range is listed, so the safest assumption is that all builds prior to the commits referenced should be treated as vulnerable.

The vulnerability requires that the attacker be able to read kernel logs that contain the sensitive bytes. Based on the description, it is inferred that the opportunity to read kernel logs implies a local privilege escalation requirement, or that logs are exposed in a way that permits remote access; no remote exploitation vector is documented. No remote execution or denial‑of‑service vector is disclosed. The CVSS score of 8.1 indicates a high severity, and the EPSS score of < 1% indicates a very low but nonzero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, indicating limited exploitation activity to date. Based on the implications of key exposure, the risk remains high for environments with debug logging, because the captured keys could be used to undermine SMB security.