Description
In the Linux kernel, the following vulnerability has been resolved:

smb: client: prevent races in ->query_interfaces()

It was possible for two query interface works to be concurrently trying
to update the interfaces.

Prevent this by checking and updating iface_last_update under
iface_lock.
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition exists in the Linux kernel SMB client when two query interface operations are performed concurrently. The implementation allows both threads to attempt to update interface information at the same time without proper locking.

Affected Systems

All installations of the Linux kernel are potentially affected, as the common platform enumeration refers to the generic Linux kernel and no specific version range is provided. Users should examine the kernel release notes around the commit references listed in the advisory to determine whether their current kernel includes the patch that adds locking to the query interface.

Risk and Exploitability

The CVSS score is 5.5, EPSS score not available, and the vulnerability is not listed in the CISA KEV catalog, so the objective severity is moderate. The likely attack vector is local or privileged access, inferred from the requirement that an attacker would need to trigger simultaneous SMB client operations to exercise the race. No publicly documented exploits exist; the threat remains theoretical until proof-of-concept code is released.

Generated by OpenCVE AI on May 7, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the commit referenced in the advisory, ensuring the newer lock on iface_last_update is present.
  • Disable the SMB client feature if the kernel cannot be updated immediately, mitigating the race by eliminating the vulnerable code path.
  • Restrict SMB traffic to trusted hosts or via secure tunnels, reducing the opportunity for an attacker to invoke concurrent queries at the vulnerable point.

Generated by OpenCVE AI on May 7, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-821
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb: client: prevent races in ->query_interfaces() It was possible for two query interface works to be concurrently trying to update the interfaces. Prevent this by checking and updating iface_last_update under iface_lock.
Title smb: client: prevent races in ->query_interfaces()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-07T17:14:57.790Z

Reserved: 2026-05-01T14:12:55.995Z

Link: CVE-2026-43239

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:44.217

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43239

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43239 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T04:30:21Z

Weaknesses