CVE-2026-31392
Published: 03 April 2026
Summary
CVE-2026-31392 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique SMB/Windows Admin Shares (T1021.002); ranked at the 2.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-31392 is a vulnerability in the Linux kernel's SMB client (cifs) that affects Kerberos-authenticated mounts using the sec=krb5 option alongside a username mount option. The issue causes the client to incorrectly reuse an existing SMB session from a prior mount, even when a different username is specified for subsequent mounts. This results in the application of incorrect credentials, as demonstrated in scenarios where a keytab lacks the principal for the specified username, yet the mount proceeds using credentials from the earlier session.
The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L), indicating exploitation requires local access, low complexity, and high privileges on the affected system. A privileged local attacker could leverage this to achieve high impacts on confidentiality and integrity with a scope change, alongside low availability impact, potentially allowing unauthorized access to SMB shares via reused sessions and mismatched credentials.
Mitigation is provided through upstream kernel patches in the stable trees, including commits such as 12b4c5d98cd7ca46d5035a57bcd995df614c14e1, 6e9ff1eb7feedcf46ff2d0503759960ab58e7775, 9229709ec8bf85ae7ca53aeee9aa14814cdc1bd2, 9ee803bfdba0cf739038dbdabdd4c02582c8f2b2, and d33cbf0bf8979d779900da9be2505d68d9d8da25. Security practitioners should update to kernels incorporating these fixes to ensure proper matching of the username option in the match_session() function during Kerberos authentication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18766
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix krb5 mount with username option Customer reported that some of their krb5 mounts were failing against a single server as the client was trying to mount the…
more
shares with wrong credentials. It turned out the client was reusing SMB session from first mount to try mounting the other shares, even though a different username= option had been specified to the other mounts. By using username mount option along with sec=krb5 to search for principals from keytab is supported by cifs.upcall(8) since cifs-utils-4.8. So fix this by matching username mount option in match_session() even with Kerberos. For example, the second mount below should fail with -ENOKEY as there is no 'foobar' principal in keytab (/etc/krb5.keytab). The client ends up reusing SMB session from first mount to perform the second one, which is wrong. ``` $ ktutil ktutil: add_entry -password -p testuser -k 1 -e aes256-cts Password for testuser@ZELDA.TEST: ktutil: write_kt /etc/krb5.keytab ktutil: quit $ klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- ---------------------------------------------------------------- 1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96) $ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser $ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar $ mount -t cifs | grep -Po 'username=\K\w+' testuser testuser ```
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SMB client session reuse bug allows a privileged local attacker to mount Kerberos-authenticated shares with mismatched usernames, directly enabling unauthorized interaction with remote SMB shares (T1021.002) and subsequent data access from network shared drives (T1039).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2026-31392 by applying upstream kernel patches that fix improper SMB session reuse when different usernames are specified with sec=krb5.
Vulnerability scanning identifies Linux kernels vulnerable to CVE-2026-31392's credential mismatch in Kerberos-authenticated SMB mounts, enabling targeted patching.
Enforces least privilege to limit high-privilege local users capable of executing mount.cifs and exploiting session reuse for unauthorized SMB share access.