Bug 2451217 (CVE-2026-23303)

Summary: CVE-2026-23303 kernel: smb: client: Don't log plaintext credentials in cifs_set_cifscreds
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's Server Message Block (SMB) client. When debug logging is enabled, the cifs_set_cifscreds() function logs plaintext credentials, including usernames and passwords. This information disclosure vulnerability allows a local attacker with access to the debug logs to retrieve sensitive authentication details. The primary consequence is the exposure of user credentials, which could lead to unauthorized access to SMB resources.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-03-25 11:05:14 UTC 
In the Linux kernel, the following vulnerability has been resolved:

smb: client: Don't log plaintext credentials in cifs_set_cifscreds

When debug logging is enabled, cifs_set_cifscreds() logs the key
payload and exposes the plaintext username and password. Remove the
debug log to avoid exposing credentials.
Comment 1 Alexander B 2026-03-25 15:20:20 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026032527-CVE-2026-23303-8e38@gregkh/T