CVE-2026-41013 | THREATINT

Description

Input validation bypass in SMB volume mount handling in CloudFoundry Foundation diego-release allows low-privileged CF space developer to inject arbitrary kernel CIFS mount options via bypassing the mount-option allowlist, enabling privilege escalation and security control bypass on multi-tenant Diego cells. Affected versions: smb-volume-release: All versions prior to v3.60.0 CF Deployment: All versions prior to v56.0.0

PUBLISHED Reserved 2026-04-16 | Published 2026-06-01 | Updated 2026-06-04 | Assigner vmware

Problem types

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Product status

Default status

unaffected

Any version before 3.60.0

affected

Default status

unaffected

Any version before 56.0.0

affected

References

www.cloudfoundry.org/...uggles-arbitrary-cifs-mount-options/

cve.org (CVE-2026-41013)

nvd.nist.gov (CVE-2026-41013)

Download JSON