CVE-2026-23205
📋 TL;DR
A memory leak vulnerability exists in the Linux kernel's SMB client implementation in the smb2_open_file() function. This vulnerability allows unprivileged local users to cause kernel memory exhaustion by repeatedly mounting read-only CIFS shares and performing file operations. Systems using CIFS/SMB mounts are affected.
💻 Affected Systems
- Linux Kernel
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local denial of service through kernel memory exhaustion, potentially causing system instability or crashes when unloading the cifs module.
Likely Case
Memory leak during CIFS operations that could degrade performance over time, particularly noticeable when unloading the cifs module.
If Mitigated
Minimal impact with proper monitoring and module management practices.
🎯 Exploit Status
Exploitation requires local access and ability to mount CIFS shares. The reproducer shows specific steps to trigger the memory leak.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in stable kernel commits: 3a6d6b332f92990958602c1e35ce0173e2dd62e9, 743f70406264348c0830f38409eb6c40a42fb2db, 9ee608a64e37cea5b4b13e436c559dd0fb2ad1b5, b64e3b5d8d759dd4333992e4ba4dadf9359952c8, e3a43633023e3cacaca60d4b8972d084a2b06236
Vendor Advisory: https://git.kernel.org/stable/c/3a6d6b332f92990958602c1e35ce0173e2dd62e9
Restart Required: No
Instructions:
1. Update to a patched kernel version containing the fix commits. 2. For distributions: Use package manager to update kernel package. 3. For custom kernels: Apply the relevant patches from the stable tree. 4. No reboot required for module unloading scenario, but kernel update may require reboot.
🔧 Temporary Workarounds
Disable CIFS module unloading
allPrevent unloading of the cifs module to avoid triggering the memory leak during shutdown.
echo 'install cifs /bin/true' >> /etc/modprobe.d/cifs.conf
Restrict CIFS mount permissions
allLimit which users can mount CIFS shares to reduce attack surface.
chmod 750 /usr/bin/mount.cifs
setfacl -m u:root:rwx /usr/bin/mount.cifs
🧯 If You Can't Patch
- Monitor system memory usage and kernel logs for cifs-related warnings
- Avoid unloading cifs module in production environments
🔍 How to Verify
Check if Vulnerable:
Check kernel version and whether cifs module is loaded. The vulnerability manifests as kernel warnings when unloading cifs module after specific file operations on read-only mounts.Check Version:
uname -rVerify Fix Applied:
After patching, attempt the reproducer steps and verify no kernel warnings appear when unloading cifs module.📡 Detection & Monitoring
Log Indicators:
- Kernel warnings about 'Objects remaining on __kmem_cache_shutdown()'
- cifs module unloading errors
- Memory allocation failures in kernel logs
Network Indicators:
- CIFS mount operations followed by module unload attempts
SIEM Query:
source="kernel" AND ("cifs_small_rq" OR "__kmem_cache_shutdown" OR "kmem_cache_destroy cifs")🔗 References
- https://git.kernel.org/stable/c/3a6d6b332f92990958602c1e35ce0173e2dd62e9
- https://git.kernel.org/stable/c/743f70406264348c0830f38409eb6c40a42fb2db
- https://git.kernel.org/stable/c/9ee608a64e37cea5b4b13e436c559dd0fb2ad1b5
- https://git.kernel.org/stable/c/b64e3b5d8d759dd4333992e4ba4dadf9359952c8
- https://git.kernel.org/stable/c/e3a43633023e3cacaca60d4b8972d084a2b06236
