CVE-2021-20208 [Medium] | Security Vulnerability in Cifs-Utils

A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.27%	0.64%	+0.37%
2	2026-05-30	0.37%	0.27%	-0.10%
3	2026-02-02	—	0.37%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.27%

0.64%

+0.37%

2026-05-30

0.37%

0.27%

-0.10%

2026-02-02

—

0.37%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
6.1	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:N) Service keeps running; no real outage angle.	0.8	4.7	[email protected]
4.9	2.0	MEDIUM	`AV:N/AC:M/Au:S/C:P/I:P/A:N` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:S) A single authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:N) No availability impact.	6.8	4.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

6.1

3.1

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:R): A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N): Service keeps running; no real outage angle.

0.8

4.7

[email protected]

4.9

2.0

MEDIUM

AV:N/AC:M/Au:S/C:P/I:P/A:N Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:S): A single authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:N): No availability impact.

6.8

4.9

[email protected]

OS Trackers for CVE-2021-20208

vendor	priority	summary	link
`alpine`	medium	CVE-2021-20208: 1 source package rows (cifs-utils); 11 state rows across 10 repos (3.10-main, 3.11-main, 3.12-main, 3.17-main, 3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 10, open 1.	https://security.alpinelinux.org/vuln/CVE-2021-20208
`debian`	not yet assigned	CVE-2021-20208 not yet assigned priority: Debian including 1 source packages (cifs-utils), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2021-20208
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2021-20208
`suse`	medium	—	https://www.suse.com/security/cve/CVE-2021-20208/
`ubuntu`	low	CVE-2021-20208 low priority: Ubuntu including 1 source packages (cifs-utils), 15 status rows across 15 suites (bionic, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, trusty, upstream, xenial): not-affected 8, released 5, ignored 2.	https://ubuntu.com/security/CVE-2021-20208

Affected software / configurations for CVE-2021-20208

Vendor	Product	Version	Raw CPE
samba	cifs-utils	>= 4.0, < 6.13	cpe:2.3:a:samba:cifs-utils::::::::
redhat	enterprise_linux	7.0	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
redhat	enterprise_linux	8.0	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
fedoraproject	fedora	33	cpe:2.3:o:fedoraproject:fedora:33:::::::*
fedoraproject	fedora	34	cpe:2.3:o:fedoraproject:fedora:34:::::::*
fedoraproject	fedora	35	cpe:2.3:o:fedoraproject:fedora:35:::::::*

References for CVE-2021-20208

URL	Tags
https://bugzilla.redhat.com/show_bug.cgi?id=1921116	Issue Tracking Third Party Advisory
https://bugzilla.samba.org/show_bug.cgi?id=14651	Issue Tracking Patch Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2W4HSDIWXXNQBUW5ZS37RQMLJ7THK5AS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/66WJ3SVBHCSNQZAWSGLB6FBOCFU45FFG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z4BZSJXROEFHYATAAHHRR6P3HUSMPQB3/

URL

CVE-2021-20208

Exploit prediction scoring system (EPSS) score for CVE-2021-20208

Common vulnerability scoring system (CVSS) metrics for CVE-2021-20208

Weakness enumeration for CVE-2021-20208

OS Trackers for CVE-2021-20208

Affected software / configurations for CVE-2021-20208

References for CVE-2021-20208