CVE-2022-50856
Description
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix xid leak in cifs_ses_add_channel()
Before return, should free the xid, otherwise, the xid will be leaked.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing xid free in cifs_ses_add_channel() causes a resource leak in the Linux kernel's CIFS client.
Vulnerability
In the Linux kernel's CIFS client, the function cifs_ses_add_channel() allocates a transaction ID (xid) but fails to free it before all return paths. This oversight leads to a resource leak, as the xid is never released back to the pool.
Exploitation
An attacker with the ability to trigger the cifs_ses_add_channel() code path—such as by initiating a multi-channel session setup—can cause repeated xid leaks. No special privileges beyond normal CIFS client usage are required; the leak occurs during routine channel addition operations.
Impact
Each leaked xid consumes a slot in the global xid table, which is a finite resource. Over time, repeated exploitation can exhaust available xids, leading to denial of service (DoS) where new CIFS operations fail to obtain an xid and thus cannot proceed.
Mitigation
The fix, committed in the Linux kernel stable tree, adds a free_xid() call before every return in cifs_ses_add_channel() [1][2]. Users should apply the corresponding kernel patch or update to a version containing the commit.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
47286f8755104847301f0ee1cdb2a8b6c17e1e909d054bdeaVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.