CVE-2026-23230
Modified Modified - Updated After Analysis
Race Condition in Linux Kernel SMB Client Bitfield Handling

Publication date: 2026-02-18

Last updated on: 2026-06-02

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: split cached_fid bitfields to avoid shared-byte RMW races is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code paths that may run concurrently. Bitfield assignments generate byte read–modify–write operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can restore stale values of the others. A possible interleaving is: CPU1: load old byte (has_lease=1, on_list=1) CPU2: clear both flags (store 0) CPU1: RMW store (old | IS_OPEN) -> reintroduces cleared bits To avoid this class of races, convert these flags to separate bool fields.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23230
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 6.19.1 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.125 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.72 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.11 (exc)
linux linux_kernel From 6.1 (inc) to 6.1.164 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's SMB client code where multiple flags (is_open, has_lease, and on_list) are stored in the same bitfield byte within the struct cached_fid. These flags are updated in different code paths that may run concurrently, leading to race conditions during byte read-modify-write operations. Specifically, when one flag is updated, it can unintentionally restore stale values of the other flags due to concurrent access, causing inconsistent or incorrect flag states.

The issue arises because bitfield assignments generate byte-level read-modify-write instructions, which are not atomic for individual bits. This can cause interleaving where one CPU loads an old byte value, another CPU clears flags, and then the first CPU writes back a value that reintroduces cleared bits. The fix involves splitting these flags into separate boolean fields to avoid shared-byte race conditions.

Impact Analysis

This vulnerability can lead to race conditions in the Linux kernel SMB client, potentially causing incorrect or inconsistent internal state regarding file identifiers and leases. Such inconsistencies might result in unexpected behavior, data corruption, or stability issues when accessing SMB shares concurrently.

While the description does not specify direct security impacts like privilege escalation or data leakage, the race condition could affect the reliability and correctness of SMB client operations, which might indirectly impact system stability or data integrity.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

This vulnerability has been resolved by splitting the cached_fid bitfields into separate boolean fields to avoid shared-byte read-modify-write races in the Linux kernel smb client.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23230. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart