Summaryinfo

A vulnerability marked as problematic has been reported in Linux Kernel up to 7.0-rc1. This affects the function memcmp of the component ksmbd. Performing a manipulation results in timing discrepancy. This vulnerability is identified as CVE-2026-23364. There is not any exploit available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as problematic, was found in Linux Kernel up to 7.0-rc1. This affects the function memcmp of the component ksmbd. The manipulation with an unknown input leads to a timing discrepancy vulnerability. CWE is classifying the issue as CWE-208. Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. This is going to have an impact on confidentiality. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: ksmbd: Compare MACs in constant time To prevent timing attacks, MAC comparisons need to be constant-time. Replace the memcmp() with the correct function, crypto_memneq().

It is possible to read the advisory at git.kernel.org. This vulnerability is uniquely identified as CVE-2026-23364 since 01/13/2026. The exploitability is told to be difficult. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1592 according to MITRE ATT&CK.

Upgrading to version 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.7 or 7.0-rc2 eliminates this vulnerability. Applying the patch cd52a0e309659537048a864211abc3ea4c5caa63/307afccb751f542246bd5dc68a2c1ffe1a78418c/2cdc56ed67615ba0921383a688f24415ebe065f3/93c0a22fec914ec4b697e464895a0f594e29fb28/f4588b85efd6007d46b80aa1b9fb746628ffb3dc/c5794709bc9105935dbedef8b9cf9c06f2b559fa is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.1.166
• 6.6.129
• 6.12.0
• 6.12.1
• 6.12.2
• 6.12.3
• 6.12.4
• 6.12.5
• 6.12.6
• 6.12.7
• 6.12.8
• 6.12.9
• 6.12.10
• 6.12.11
• 6.12.12
• 6.12.13
• 6.12.14
• 6.12.15
• 6.12.16
• 6.12.17
• 6.12.18
• 6.12.19
• 6.12.20
• 6.12.21
• 6.12.22
• 6.12.23
• 6.12.24
• 6.12.25
• 6.12.26
• 6.12.27
• 6.12.28
• 6.12.29
• 6.12.30
• 6.12.31
• 6.12.32
• 6.12.33
• 6.12.34
• 6.12.35
• 6.12.36
• 6.12.37
• 6.12.38
• 6.12.39
• 6.12.40
• 6.12.41
• 6.12.42
• 6.12.43
• 6.12.44
• 6.12.45
• 6.12.46
• 6.12.47
• 6.12.48
• 6.12.49
• 6.12.50
• 6.12.51
• 6.12.52
• 6.12.53
• 6.12.54
• 6.12.55
• 6.12.56
• 6.12.57
• 6.12.58
• 6.12.59
• 6.12.60
• 6.12.61
• 6.12.62
• 6.12.63
• 6.12.64
• 6.12.65
• 6.12.66
• 6.12.67
• 6.12.68
• 6.12.69
• 6.12.70
• 6.12.71
• 6.12.72
• 6.12.73
• 6.12.74
• 6.12.75
• 6.12.76
• 6.12.77
• 6.18.0
• 6.18.1
• 6.18.2
• 6.18.3
• 6.18.4
• 6.18.5
• 6.18.6
• 6.18.7
• 6.18.8
• 6.18.9
• 6.18.10
• 6.18.11
• 6.18.12
• 6.18.13
• 6.18.14
• 6.18.15
• 6.18.16
• 6.18.17
• 6.18.18
• 6.19.0
• 6.19.1
• 6.19.2
• 6.19.3
• 6.19.4
• 6.19.5
• 6.19.6
• 7.0-rc1

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion