CVE-2026-41013 PUBLISHED

Tenant-controlled comma smuggles arbitrary CIFS mount options

Assigner: vmware
Reserved: 16.04.2026 Published: 01.06.2026 Updated: 01.06.2026

Input validation bypass in SMB volume mount handling in CloudFoundry Foundation diego-release allows low-privileged CF space developer to inject arbitrary kernel CIFS mount options via bypassing the mount-option allowlist, enabling privilege escalation and security control bypass on multi-tenant Diego cells.

Affected versions: smb-volume-release: All versions prior to v3.60.0 CF Deployment: All versions prior to v56.0.0

Product Status

Vendor	CloudFoundry Foundation
Product	smb-volume-release
Versions	Default: unaffected affected from 0 to 3.60.0 (excl.)

Vendor	CloudFoundry Foundation
Product	CF Deployment
Versions	Default: unaffected affected from 0 to 56.0.0 (excl.)

References

https://www.cloudfoundry.org/blog/cve-2026-41013-tenant-controlled-comma-smuggles-arbitrary-cifs-mount-options/

Problem Types

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') CWE

Impacts

A low-privileged CF space developer can bypass the SMB mount-option allowlist by injecting arbitrary kernel CIFS mount options via comma-delimited parameters, enabling privilege escalation and security control bypass on multi-tenant Diego cells.