Cyber Resilience

CVE-2026-31392

High

Published: 03 April 2026

Published
03 April 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0012 2.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31392 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique SMB/Windows Admin Shares (T1021.002); ranked at the 2.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-31392 is a vulnerability in the Linux kernel's SMB client (cifs) that affects Kerberos-authenticated mounts using the sec=krb5 option alongside a username mount option. The issue causes the client to incorrectly reuse an existing SMB session from a prior mount, even when a different username is specified for subsequent mounts. This results in the application of incorrect credentials, as demonstrated in scenarios where a keytab lacks the principal for the specified username, yet the mount proceeds using credentials from the earlier session.

The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L), indicating exploitation requires local access, low complexity, and high privileges on the affected system. A privileged local attacker could leverage this to achieve high impacts on confidentiality and integrity with a scope change, alongside low availability impact, potentially allowing unauthorized access to SMB shares via reused sessions and mismatched credentials.

Mitigation is provided through upstream kernel patches in the stable trees, including commits such as 12b4c5d98cd7ca46d5035a57bcd995df614c14e1, 6e9ff1eb7feedcf46ff2d0503759960ab58e7775, 9229709ec8bf85ae7ca53aeee9aa14814cdc1bd2, 9ee803bfdba0cf739038dbdabdd4c02582c8f2b2, and d33cbf0bf8979d779900da9be2505d68d9d8da25. Security practitioners should update to kernels incorporating these fixes to ensure proper matching of the username option in the match_session() function during Kerberos authentication.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix krb5 mount with username option Customer reported that some of their krb5 mounts were failing against a single server as the client was trying to mount the…

more

shares with wrong credentials. It turned out the client was reusing SMB session from first mount to try mounting the other shares, even though a different username= option had been specified to the other mounts. By using username mount option along with sec=krb5 to search for principals from keytab is supported by cifs.upcall(8) since cifs-utils-4.8. So fix this by matching username mount option in match_session() even with Kerberos. For example, the second mount below should fail with -ENOKEY as there is no 'foobar' principal in keytab (/etc/krb5.keytab). The client ends up reusing SMB session from first mount to perform the second one, which is wrong. ``` $ ktutil ktutil: add_entry -password -p testuser -k 1 -e aes256-cts Password for testuser@ZELDA.TEST: ktutil: write_kt /etc/krb5.keytab ktutil: quit $ klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- ---------------------------------------------------------------- 1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96) $ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser $ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar $ mount -t cifs | grep -Po 'username=\K\w+' testuser testuser ```

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1021.002 SMB/Windows Admin Shares Lateral Movement
Adversaries may use [Valid Accounts](https://attack.
T1039 Data from Network Shared Drive Collection
Adversaries may search network shares on computers they have compromised to find files of interest.
Why these techniques?

The SMB client session reuse bug allows a privileged local attacker to mount Kerberos-authenticated shares with mismatched usernames, directly enabling unauthorized interaction with remote SMB shares (T1021.002) and subsequent data access from network shared drives (T1039).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23230Same product: Linux Linux Kernel
CVE-2024-58015Same product: Linux Linux Kernel
CVE-2026-31448Same product: Linux Linux Kernel
CVE-2024-58072Same product: Linux Linux Kernel
CVE-2026-31474Same product: Linux Linux Kernel
CVE-2026-31636Same product: Linux Linux Kernel
CVE-2026-31516Same product: Linux Linux Kernel
CVE-2024-57911Same product: Linux Linux Kernel
CVE-2026-23327Same product: Linux Linux Kernel
CVE-2024-57792Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 2.6.32.44 — 2.6.33 · 2.6.34.12 — 2.6.35 · 2.6.36 — 6.1.167

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-31392 by applying upstream kernel patches that fix improper SMB session reuse when different usernames are specified with sec=krb5.

detect

Vulnerability scanning identifies Linux kernels vulnerable to CVE-2026-31392's credential mismatch in Kerberos-authenticated SMB mounts, enabling targeted patching.

prevent

Enforces least privilege to limit high-privilege local users capable of executing mount.cifs and exploiting session reuse for unauthorized SMB share access.

References