Observable discrepancy in Linux kernel - CVE-2026-23364
Published: March 25, 2026
Vulnerability identifier: #VU124479
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23364
CWE-ID: CWE-203
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to obtain sensitive information.
The vulnerability exists due to improper timing handling in the ksmbd component when comparing message authentication codes (MACs). A local user can leverage timing differences during MAC comparison to infer sensitive information.
Exploitation requires local access and the ability to trigger MAC comparisons through the ksmbd subsystem.
How to mitigate CVE-2026-23364
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/2cdc56ed67615ba0921383a688f24415ebe065f3
- https://git.kernel.org/stable/c/307afccb751f542246bd5dc68a2c1ffe1a78418c
- https://git.kernel.org/stable/c/93c0a22fec914ec4b697e464895a0f594e29fb28
- https://git.kernel.org/stable/c/c5794709bc9105935dbedef8b9cf9c06f2b559fa
- https://git.kernel.org/stable/c/cd52a0e309659537048a864211abc3ea4c5caa63
- https://git.kernel.org/stable/c/f4588b85efd6007d46b80aa1b9fb746628ffb3dc