CVE-2023-53794

Root

Cause

The vulnerability resides in the Linux kernel's CIFS (Common Internet File System) client, specifically in the smb2_reconnect_server() function. The session state check fails to exclude sessions that are in the process of being torn down (exiting). These exiting sessions remain linked in server->smb_ses_list until they complete cifs_free_ipc() and logoff, creating a window where a dangling pointer can be dereferenced [1].

Exploitation

An attacker with the ability to trigger a network reconnection event on a CIFS mount can race the session teardown. No authentication is required beyond the existing mount credentials is required; the attacker must be able to cause a disconnect/reconnect (e.g., by network disruption or by sending a disconnect request). The race window is narrow but exists between the session being marked as exiting and its removal from the list [1].

Impact

Successful exploitation leads to a use-after-free condition, which can be leveraged to crash the system (denial of service) or, potentially, to achieve arbitrary code execution in kernel context. The CIFS is commonly used in enterprise environments for file sharing, making this a high-severity issue for affected systems.

Mitigation

The fix, committed to the Linux kernel stable tree, adds a check to skip sessions state check to skip exiting sessions during reconnect [1]. Users should apply the patch or update to a kernel version containing the fix. No workaround is available; the vulnerability is patched in the referenced commit.