CVE-2023-54260

Vulnerability

Overview

CVE-2023-54260 describes a memory leak vulnerability in the Linux kernel's CIFS (Common Internet File System) client. The issue occurs in the SMB Direct (SMBD) connection handling code. When a memory region (MR) allocation fails during the connection setup, the SMBD connection info pointer becomes NULL. Subsequently, when smbd_destroy() is called, it returns early due to the NULL pointer, without actually freeing the connection info structure, resulting in a memory leak. [1][2]

Exploitation and

Root Cause

The root cause is a missing assignment of the SMBD connection info to the server structure before invoking smbd_destroy(). Under normal conditions, smbd_destroy() cleans up the connection. However, if MR allocation fails, the connection info pointer is not properly saved, so the cleanup routine cannot access it. No special privileges or network position beyond regular CIFS usage is required to trigger this code path—any user or process that triggers CIFS SMB Direct connections with failing MR allocations can cause the leak.

Impact

An attacker who can repeatedly trigger the affected code path (e.g., by initiating CIFS mounts that experience MR allocation failures) can exhaust kernel memory over time. This may lead to denial of service (DoS) conditions, impacting system stability and availability. The leak does not directly allow arbitrary code execution or privilege escalation.

Mitigation

The fix, committed to the Linux kernel stable tree, ensures that the SMBD connection info is assigned to the server structure before calling smbd_destroy(), regardless of whether MR allocation succeeds or fails. Users should update their kernel to include commit caac205e0d5b44c4c23a10c6c0976d50ebe16ac2 (or equivalent backport). No workaround is available apart from avoiding the use of SMB Direct connections or applying the kernel patch. [3]