Cyber Resilience

CVE-2026-23364

High

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0005 16.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23364 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23364 is a vulnerability in the ksmbd (Kernel Samba) component of the Linux kernel. It stems from the use of memcmp() for MAC (Message Authentication Code) comparisons, which are not performed in constant time and thus susceptible to timing attacks. The issue was resolved by replacing memcmp() with crypto_memneq(), ensuring constant-time comparisons to mitigate such side-channel risks.

The vulnerability can be exploited by remote attackers over the network (AV:N), though it requires high attack complexity (AC:H), no privileges (PR:N), and no user interaction (UI:N). Per the CVSS v3.1 base score of 7.4 (S:U/C:H/I:H/A:N), successful exploitation could result in high confidentiality and integrity impacts, such as potential information disclosure or manipulation via precise timing measurements of MAC validation responses in SMB communications.

Mitigation is provided through patches in Linux kernel stable releases, as detailed in the following commit references: https://git.kernel.org/stable/c/2cdc56ed67615ba0921383a688f24415ebe065f3, https://git.kernel.org/stable/c/307afccb751f542246bd5dc68a2c1ffe1a78418c, https://git.kernel.org/stable/c/93c0a22fec914ec4b697e464895a0f594e29fb28, https://git.kernel.org/stable/c/c5794709bc9105935dbedef8b9cf9c06f2b559fa, and https://git.kernel.org/stable/c/cd52a0e309659537048a864211abc3ea4c5caa63. Security practitioners should apply these updates to affected kernels running ksmbd to prevent exploitation.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ksmbd: Compare MACs in constant time To prevent timing attacks, MAC comparisons need to be constant-time. Replace the memcmp() with the correct function, crypto_memneq().

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1600 Weaken Encryption Defense Impairment
Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications.
Why these techniques?

Remote network timing side-channel on SMB MAC verification directly enables exploitation of public-facing kernel service (T1190) and weakens cryptographic protections (T1600).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31649Same product: Linux Linux Kernel
CVE-2026-31668Same product: Linux Linux Kernel
CVE-2026-23455Same product: Linux Linux Kernel
CVE-2026-43186Same product: Linux Linux Kernel
CVE-2026-22984Same product: Linux Linux Kernel
CVE-2026-31414Same product: Linux Linux Kernel
CVE-2026-43037Same product: Linux Linux Kernel
CVE-2026-43055Same product: Linux Linux Kernel
CVE-2026-31718Same product: Linux Linux Kernel
CVE-2026-31478Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.15, 7.0 · 5.15.1 — 6.1.167 · 6.2 — 6.6.130 · 6.7 — 6.12.78

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by identifying, reporting, and applying kernel patches that replace non-constant-time memcmp with crypto_memneq for secure MAC comparisons in ksmbd.

prevent

Prevents exposure to the ksmbd timing attack by configuring systems to provide only essential capabilities and restricting unnecessary kernel Samba functionality.

detectrespond

Identifies the ksmbd vulnerability through ongoing vulnerability scanning and monitoring of kernel components, enabling timely remediation.

References