Description
In the Linux kernel, the following vulnerability has been resolved:

smb: client: prevent races in ->query_interfaces()

It was possible for two query interface works to be concurrently trying
to update the interfaces.

Prevent this by checking and updating iface_last_update under
iface_lock.
Published: 2026-05-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition exists in the Linux kernel SMB client when two query interface operations are performed concurrently. The implementation allowed both operations to update interface information at the same time without acquiring a lock, resulting in inconsistent or corrupted kernel data. This flaw is classified as CWE‑821 and can lead to kernel instability, crashes, and system disruptions.

Affected Systems

The vulnerability affects the Linux kernel, specifically version 5.19 and its release candidate builds rc4 through rc8. All installations of a Linux kernel lacking the commit that adds selective locking to the query_interface() function are potentially impacted. Users should verify the presence of the relevant patch or ensure they are running a kernel that includes the change.

Risk and Exploitability

The CVSS score is 8.8 and the EPSS score is less than 1 %, indicating a high severity but a low likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. The attack vector is inferred to be local or to require an attacker able to generate concurrent SMB client queries, such as by manipulating SMB traffic from a trusted or compromised host. No public exploits have been reported, and the threat remains theoretical until a proof‑of‑concept is released.

Generated by OpenCVE AI on May 12, 2026 at 23:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the commit adding the lock on iface_last_update in query_interface(), ensuring the race condition is fully resolved.
  • If an immediate kernel upgrade is not possible, disable the SMB client module or unmount SMB filesystems to remove the vulnerable code path from execution.
  • Restrict SMB traffic to trusted networks or through secure tunnels, reducing the likelihood that an attacker can trigger concurrent queries that exploit the race.

Generated by OpenCVE AI on May 12, 2026 at 23:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:5.19:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.19:rc8:*:*:*:*:*:*

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 07 May 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-821
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: smb: client: prevent races in ->query_interfaces() It was possible for two query interface works to be concurrently trying to update the interfaces. Prevent this by checking and updating iface_last_update under iface_lock.
Title smb: client: prevent races in ->query_interfaces()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:20:41.885Z

Reserved: 2026-05-01T14:12:55.995Z

Link: CVE-2026-43239

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:44.217

Modified: 2026-05-12T18:53:28.560

Link: CVE-2026-43239

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43239 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:00:17Z

Weaknesses