A user controlling the username mount option can embed shell commands that will be run in the context of the calling user.
In order to exploit this flaw, the attacker would need to be able to inject a specially crafted username into the command run by root. This requires a specific setup (e.g.: sudo rules, etc.).
As a result, the vulnerability is considered as low severity.
Name: Aurélien Aptel (SUSE Labs Samba Team)
Upstream: Vadim Lebedev
Created cifs-utils tracking bugs for this issue:
Affects: fedora-all [bug 1876400]