lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2026021808-CVE-2026-23230-8d0e@gregkh>
Date: Wed, 18 Feb 2026 15:54:19 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2026-23230: smb: client: split cached_fid bitfields to avoid shared-byte RMW races

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

smb: client: split cached_fid bitfields to avoid shared-byte RMW races

is_open, has_lease and on_list are stored in the same bitfield byte in
struct cached_fid but are updated in different code paths that may run
concurrently. Bitfield assignments generate byte read–modify–write
operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can
restore stale values of the others.

A possible interleaving is:
    CPU1: load old byte (has_lease=1, on_list=1)
    CPU2: clear both flags (store 0)
    CPU1: RMW store (old | IS_OPEN) -> reintroduces cleared bits

To avoid this class of races, convert these flags to separate bool
fields.

The Linux kernel CVE team has assigned CVE-2026-23230 to this issue.


Affected and fixed versions
===========================

	Fixed in 6.6.125 with commit 4386f6af8aaedd0c5ad6f659b40cadcc8f423828
	Fixed in 6.12.72 with commit 3eaa22d688311c708b73f3c68bc6d0c8e3f0f77a
	Fixed in 6.18.11 with commit c4b9edd55987384a1f201d3d07ff71e448d79c1b
	Fixed in 6.19.1 with commit 4cfa4c37dcbcfd70866e856200ed8a2894cac578

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2026-23230
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	fs/smb/client/cached_dir.h


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/4386f6af8aaedd0c5ad6f659b40cadcc8f423828
	https://git.kernel.org/stable/c/3eaa22d688311c708b73f3c68bc6d0c8e3f0f77a
	https://git.kernel.org/stable/c/c4b9edd55987384a1f201d3d07ff71e448d79c1b
	https://git.kernel.org/stable/c/4cfa4c37dcbcfd70866e856200ed8a2894cac578
	https://git.kernel.org/stable/c/ec306600d5ba7148c9dbf8f5a8f1f5c1a044a241

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ