Description
In the Linux kernel, the following vulnerability has been resolved:

smb: client: split cached_fid bitfields to avoid shared-byte RMW races

is_open, has_lease and on_list are stored in the same bitfield byte in
struct cached_fid but are updated in different code paths that may run
concurrently. Bitfield assignments generate byte read–modify–write
operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can
restore stale values of the others.

A possible interleaving is:
CPU1: load old byte (has_lease=1, on_list=1)
CPU2: clear both flags (store 0)
CPU1: RMW store (old | IS_OPEN) -> reintroduces cleared bits

To avoid this class of races, convert these flags to separate bool
fields.
Published: 2026-02-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data corruption and potential denial of service within the Linux SMB client
Action: Immediate Patch
AI Analysis

Impact

The flaw arises from storing several flag bits in a single byte of the cached_fid structure within the Linux SMB client. Concurrent code paths modify these bits separately, causing read‑modify‑write races that can inadvertently restore stale flag values. This race can leave the SMB client in an incorrect, inconsistent state, leading to data corruption, service interruption, or loss of synchronization with the SMB server.

Affected Systems

All Linux kernel releases that include the unpatched SMB client implementation. No specific version range is listed, but any kernel that has not incorporated the latest commit that splits the bitfields into individual boolean members is vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability. The EPSS score is below 1%, suggesting low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires concurrent execution of the conflicting code paths in the SMB client, typically achievable by a local user with permissions to run SMB client operations. While it does not provide arbitrary code execution, the race condition can disrupt client operations and degrade service availability.

Generated by OpenCVE AI on April 15, 2026 at 17:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that splits the cached_fid bitfield into separate boolean fields, as provided in the commit referenced by the CVE advisory.
  • If an immediate kernel update is not feasible, disable or restrict SMB client usage on the affected systems until the patch is applied to prevent the race condition from being triggered.
  • When a kernel upgrade cannot be performed immediately, isolate impacted workloads from external SMB traffic and monitor for anomalous SMB activity until the patch is applied.

Generated by OpenCVE AI on April 15, 2026 at 17:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4499-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6141-1 linux security update
Debian DSA Debian DSA DSA-6163-1 linux security update
History

Wed, 15 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Tue, 17 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 23 Feb 2026 03:30:00 +0000

Type Values Removed Values Added
References

Thu, 19 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
References

Thu, 19 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 18 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb: client: split cached_fid bitfields to avoid shared-byte RMW races is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code paths that may run concurrently. Bitfield assignments generate byte read–modify–write operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can restore stale values of the others. A possible interleaving is: CPU1: load old byte (has_lease=1, on_list=1) CPU2: clear both flags (store 0) CPU1: RMW store (old | IS_OPEN) -> reintroduces cleared bits To avoid this class of races, convert these flags to separate bool fields.
Title smb: client: split cached_fid bitfields to avoid shared-byte RMW races
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:02:46.980Z

Reserved: 2026-01-13T15:37:45.988Z

Link: CVE-2026-23230

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-02-18T16:22:32.807

Modified: 2026-04-02T15:16:24.460

Link: CVE-2026-23230

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-18T00:00:00Z

Links: CVE-2026-23230 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:15:10Z

Weaknesses