Path traversal in SMB CSI driver risks destructive SMB cleanup
TL;DR — A path traversal bug in Kubernetes’ SMB CSI driver can let users who can create PersistentVolumes trigger cleanup against unintended directories on the SMB server.
What happened
The Kubernetes CSI Driver for SMB (smb.csi.k8s.io) is a Container Storage Interface (CSI) driver that lets Kubernetes mount and manage SMB/CIFS shares as persistent storage.
CVE-2026-3865 reports that the driver’s subDir handling inside volume identifiers (e.g., volumeHandle) had insufficient validation, allowing traversal sequences like ../. During volume deletion / cleanup, the driver can follow those traversal sequences and operate on unintended directories within the SMB export, leading to deletion or modification outside the intended managed subdirectory.
| Item | Source value |
|---|---|
| Affected software | Kubernetes CSI Driver for SMB (smb.csi.k8s.io) |
| Vulnerability class | Path traversal via subDir in volume identifiers |
| Impact | Deletion/modification of unintended directories on the SMB server |
| Severity (vendor) | CVSS v3.1 6.5 (Medium) (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H) |
| Affected versions | All versions prior to v1.20.1 |
| Fixed versions | v1.20.1 and later |
Why this matters: storage drivers sit on a high-trust boundary between cluster control-plane actions and external state (fileshares). Path traversal in deletion/cleanup paths is a recurring, high-blast-radius class of bug—especially in clusters where PV creation is available beyond a tightly controlled admin group.
Who is impacted
- Clusters running the SMB CSI driver (
smb.csi.k8s.io). - Environments where users (or compromised service accounts) can create
PersistentVolumes referencing the SMB CSI driver. - Installations running SMB CSI driver versions prior to
v1.20.1.
What to do now
- Follow Kubernetes/vendor remediation guidance and apply a patched SMB CSI driver release (the disclosure states
v1.20.1and later include the fix). - Restrict
PersistentVolumecreation privileges to trusted administrators (the advisory explicitly calls this out as a mitigation). - Review SMB exports backing Kubernetes volumes to ensure only intended directories are writable by the driver.
- Detection / triage:
- Inspect
PersistentVolumes using the SMB CSI driver and review thevolumeHandlefield for traversal sequences like../. - Review CSI controller logs for unexpected directory operations (example log pattern:
Removing subPath: /tmp/mount-uuid/legitimate/../../../exports/subdir).
- Inspect
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.