HIGH
ksmbd MAC Timing
CVE-2026-23364
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
KernelScan AI5.9MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: Compare MACs in constant time To prevent timing attacks, MAC comparisons need to be constant-time. Replace the memcmp() with the correct function, crypto_memneq().
02KernelScan AI Analysis
Risk summary
Remote attackers can exploit timing differences in MAC verification to potentially extract authentication secrets from ksmbd SMB servers. This affects systems running the in-kernel SMB server with network exposure. The attack requires sophisticated timing analysis but no authentication.
Vulnerability analysis
The vulnerability exists in ksmbd's authentication and signature verification code where memcmp() is used to compare cryptographic MACs (Message Authentication Codes). The memcmp() function performs byte-by-byte comparison and returns early on the first mismatch, creating measurable timing differences that leak information about the secret MAC values. The fix replaces memcmp() with crypto_memneq(), which performs constant-time comparison regardless of where differences occur, preventing timing-based side-channel attacks. This affects both NTLMv2 authentication in auth.c and SMB2/SMB3 signature verification in smb2pdu.c.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.167 | cd52a0e30965 |
| 6.12 | 6.12.78 | 2cdc56ed6761 |
| 6.18 | 6.18.19 | 93c0a22fec91 |
| 6.19 | 6.19.7 | f4588b85efd6 |
| 6.6 | 6.6.130 | 307afccb751f |
| mainline | 7.0 | c5794709bc91 |