CVE-2023-54280

Vulnerability

A race condition exists in the Linux kernel's CIFS (Common Internet File System) client code, specifically in the function __tree_connect_dfs_target(). When building the IPC tree share name, the code accesses TCP_Server_Info::hostname without proper synchronization. This field can be freed concurrently by the cifsd kernel thread, leading to a use-after-free (UAF) bug [1][2].

Exploitation

An attacker who can trigger a tree connect to an IPC share (for example, by mounting a CIFS share and causing a DFS referral) may race the freeing of the server's hostname. The attack requires the attacker does not need local access; the vulnerability is triggered during normal CIFS operations. The race window is small but exploitable if the attacker can control timing.

Impact

Successful exploitation could allow an attacker to corrupt kernel memory, potentially leading to a denial of service (system crash) or, in more severe cases, arbitrary code execution in kernel context. The CIFS client is commonly used in enterprise environments for file sharing, making this a high-severity issue.

Mitigation

The fix, committed to the Linux kernel stable tree, adds proper locking (using rcu_read_lock/rcu_read_unlock) around the access to hostname and also updates the IPC tcon status on success to avoid extra tree connects [1][2]. Users should apply the latest stable kernel updates to remediate this vulnerability.