VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2023-54258

CVE-2023-54258

Description

In the Linux kernel, the following vulnerability has been resolved:

cifs: fix potential oops in cifs_oplock_break

With deferred close we can have closes that race with lease breaks, and so with the current checks for whether to send the lease response, oplock_response(), this can mean that an unmount (kill_sb) can occur just before we were checking if the tcon->ses is valid. See below:

[Fri Aug 4 04:12:50 2023] RIP: 0010:cifs_oplock_break+0x1f7/0x5b0 [cifs] [Fri Aug 4 04:12:50 2023] Code: 7d a8 48 8b 7d c0 c0 e9 02 48 89 45 b8 41 89 cf e8 3e f5 ff ff 4c 89 f7 41 83 e7 01 e8 82 b3 03 f2 49 8b 45 50 48 85 c0 74 5e <48> 83 78 60 00 74 57 45 84 ff 75 52 48 8b 43 98 48 83 eb 68 48 39 [Fri Aug 4 04:12:50 2023] RSP: 0018:ffffb30607ddbdf8 EFLAGS: 00010206 [Fri Aug 4 04:12:50 2023] RAX: 632d223d32612022 RBX: ffff97136944b1e0 RCX: 0000000080100009 [Fri Aug 4 04:12:50 2023] RDX: 0000000000000001 RSI: 0000000080100009 RDI: ffff97136944b188 [Fri Aug 4 04:12:50 2023] RBP: ffffb30607ddbe58 R08: 0000000000000001 R09: ffffffffc08e0900 [Fri Aug 4 04:12:50 2023] R10: 0000000000000001 R11: 000000000000000f R12: ffff97136944b138 [Fri Aug 4 04:12:50 2023] R13: ffff97149147c000 R14: ffff97136944b188 R15: 0000000000000000 [Fri Aug 4 04:12:50 2023] FS: 0000000000000000(0000) GS:ffff9714f7c00000(0000) knlGS:0000000000000000 [Fri Aug 4 04:12:50 2023] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [Fri Aug 4 04:12:50 2023] CR2: 00007fd8de9c7590 CR3: 000000011228e000 CR4: 0000000000350ef0 [Fri Aug 4 04:12:50 2023] Call Trace: [Fri Aug 4 04:12:50 2023] [Fri Aug 4 04:12:50 2023] process_one_work+0x225/0x3d0 [Fri Aug 4 04:12:50 2023] worker_thread+0x4d/0x3e0 [Fri Aug 4 04:12:50 2023] ? process_one_work+0x3d0/0x3d0 [Fri Aug 4 04:12:50 2023] kthread+0x12a/0x150 [Fri Aug 4 04:12:50 2023] ? set_kthread_struct+0x50/0x50 [Fri Aug 4 04:12:50 2023] ret_from_fork+0x22/0x30 [Fri Aug 4 04:12:50 2023]

To fix this change the ordering of the checks before sending the oplock_response to first check if the openFileList is empty.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in the Linux kernel's CIFS client can cause a NULL pointer dereference (oops) during oplock break handling when a concurrent unmount invalidates the session.

Vulnerability

Overview

CVE-2023-54258 is a use-after-free / NULL pointer dereference vulnerability in the Linux kernel's CIFS (SMB) client. The bug occurs in the cifs_oplock_break function when handling oplock (opportunistic lock) breaks. With deferred close, a close operation can race with a lease break, and the existing checks for whether to send the lease response (oplock_response()) are insufficient. This can lead to a situation where an unmount (kill_sb) occurs just before the code checks if tcon->ses is valid, resulting in a NULL pointer dereference and a kernel oops [1][2].

Exploitation

Conditions

An attacker would need to be able to trigger a race between a CIFS oplock break and an unmount operation on the same mount point. This requires local access to the system (or the ability to trigger such operations from a remote SMB server) and the ability to initiate an unmount while oplock break processing is ongoing. The vulnerability is triggered in the workqueue context (process_one_work), meaning it does not require special privileges beyond the ability to mount and unmount CIFS shares.

Impact

Successful exploitation results in a kernel NULL pointer dereference, leading to a system crash (oops). This constitutes a denial-of-service (DoS) condition. The crash trace shows the oops occurs in cifs_oplock_break when accessing a freed or invalid tcon structure. There is no evidence from the provided sources that this can be leveraged for privilege escalation or arbitrary code execution; the primary impact is system instability and crash.

Mitigation

The fix has been applied to the Linux kernel stable branches. The commit [1] and [2] reorder the checks in cifs_oplock_break to validate the tcon and ses pointers before proceeding with the oplock response. Users should update their kernel to a version containing the fix (e.g., 6.5.x or later stable releases). No workaround is documented; the vulnerability is patched in the mainline kernel.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

4
b99f490ea87e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
5ee28bcfbaac
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
6b67a6d2e506
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
e8f5f849ffce
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.