VSA-2026-021: Linux Kernel CIFS Client Local Privilege Escalation (CVE-2026-46243)
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2026-06-10 | 2026-06-10 | 🟠Moderate | Not Available yet | XCP-ng, XOA |
A Linux kernel vulnerability in the CIFS client and its associated CVE (CVE-2026-46243) has been disclosed. For Vates products, we classify the impact as Moderate: XCP-ng and XOA are affected. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary​
CVE-2026-46243 is a Local Privilege Escalation in the kernel's CIFS (SMB client) sub-system. The kernel does not properly validate cifs.spnego key descriptions created from userspace via request_key(2) or add_key(2). As a result, an unprivileged local user can forge authority-bearing fields (pid, uid, creduid, upcall_target) that cifs.upcall treats as trusted, bypassing intended access controls and allowing privilege escalation to root.
Impact​
An unprivileged local user can escalate privileges to root:
- This is limited in XCP-ng as very few processes are running as other users than root.
- In XOA that could be more impactful as there are network-available services running as unprivileged users, but it CIFS is not used directly, by default.
Affected Versions​
- XCP-ng 8.3: Affected.
- XOA: Affected.
Mitigation​
It is possible to blacklist the cifs module on both XCP-ng and XOA to neutralize CVE-2026-46243.
Blacklisting cifs in XCP-ng will prevent the use of SMB based SRs.
Resolution​
As of 2026-06-10:
- XCP-ng 8.3:
- The fix has not been released yet. If you're really concerned about this vulnerability and are not using SMB SRs, you can apply the mitigation above. Otherwise, we do have a publicly available package that includes the fix, but not yet in our main repository. Feel free to reach out to us for the installation procedure to avoid breaking future Rolling Pool Updates.
- XOA:
- Fixed in Debian's kernel version
6.1.174-1. XOA's unattended update mechanism should already have automatically updated the kernel of XOA VMs with a fixed one.
- Fixed in Debian's kernel version
For the XOA update to be effective, the XOA VM needs to be restarted.
Users running their XOA instance for a long time might be on older versions of Debian, the unattended update mechanism keeps the base version and does not upgrade the base Operating System. Only Debian 11 and 12 have updates, people on older versions will need to upgrade their XOA VM.