CVE-2026-23230
Description
In the Linux kernel, the following vulnerability has been resolved:
smb: client: split cached_fid bitfields to avoid shared-byte RMW races
is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code paths that may run concurrently. Bitfield assignments generate byte read–modify–write operations (e.g. orb $mask, addr on x86_64), so updating one flag can restore stale values of the others.
A possible interleaving is: CPU1: load old byte (has_lease=1, on_list=1) CPU2: clear both flags (store 0) CPU1: RMW store (old | IS_OPEN) -> reintroduces cleared bits
To avoid this class of races, convert these flags to separate bool fields.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Linux kernel's SMB client cached_fid bitfields allows concurrent updates to restore stale flag values, fixed by converting to separate bool fields.
Vulnerability
A race condition exists in the Linux kernel's SMB client within the cached_fid structure. Three flags (is_open, has_lease, on_list) are stored as bitfields in the same byte. Bitfield assignments are not atomic—they perform a read-modify-write operation on the entire byte. When concurrent code paths update different flags, one path can overwrite another's changes, restoring stale values [1].
Exploitation
To exploit this, an attacker must trigger concurrent SMB operations that modify distinct flags. For example, one path sets is_open while another clears has_lease and on_list. A possible interleaving described in the advisory shows that the clearing operation can be undone, leading to inconsistent state [1].
Impact
This race can result in use-after-free or other memory corruption when the cached_fid is incorrectly considered open or leased. An attacker with the ability to execute code at the SMB client layer could potentially escalate privileges or cause a denial of service [1].
Mitigation
The fix separates the flags into individual bool fields, eliminating the shared byte and thus the read-modify-write race [4]. Users should update to a patched Linux kernel version that includes this commit.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/3eaa22d688311c708b73f3c68bc6d0c8e3f0f77anvdPatch
- git.kernel.org/stable/c/4386f6af8aaedd0c5ad6f659b40cadcc8f423828nvdPatch
- git.kernel.org/stable/c/4cfa4c37dcbcfd70866e856200ed8a2894cac578nvdPatch
- git.kernel.org/stable/c/569fecc56bfe4df66f05734d67daef887746656bnvdPatch
- git.kernel.org/stable/c/c4b9edd55987384a1f201d3d07ff71e448d79c1bnvdPatch
- git.kernel.org/stable/c/ec306600d5ba7148c9dbf8f5a8f1f5c1a044a241nvdPatch
News mentions
0No linked articles in our index yet.