Cleartext Storage of Sensitive Information in Linux kernel - CVE-2026-23303
Published: March 25, 2026
Vulnerability identifier: #VU124552
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23303
CWE-ID: CWE-312
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper output neutralization in the cifs_set_cifscreds function when handling debug logging. A local user can enable debug logging to disclose sensitive information.
The exposure of plaintext usernames and passwords occurs when debug logging is enabled, which may be accessible to local users with access to kernel logs.
How to mitigate CVE-2026-23303
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/2ef0fc3bf49db2b9df36d5f44508c9e384bfa2a1
- https://git.kernel.org/stable/c/2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d
- https://git.kernel.org/stable/c/3990f352bb0adc8688d0949a9c13e3110570eb61
- https://git.kernel.org/stable/c/3e182701db612ddd794ccd5ed822e6cc1db2b972
- https://git.kernel.org/stable/c/b746a357abfb8fdb0a171d51ec5091e786d34be1
- https://git.kernel.org/stable/c/ff0ece8ed04180c52167c003362284b23cf54e8d