FKIE_CVE-2026-23205

Vulnerability from fkie_nvd - Published: 2026-02-14 17:15 - Updated: 2026-03-18 17:10
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: smb/client: fix memory leak in smb2_open_file() Reproducer: 1. server: directories are exported read-only 2. client: mount -t cifs //${server_ip}/export /mnt 3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct 4. client: umount /mnt 5. client: sleep 1 6. client: modprobe -r cifs The error message is as follows: ============================================================================= BUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown() ----------------------------------------------------------------------------- Object 0x00000000d47521be @offset=14336 ... WARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x34e/0x440, CPU#0: modprobe/1577 ... Call Trace: <TASK> kmem_cache_destroy+0x94/0x190 cifs_destroy_request_bufs+0x3e/0x50 [cifs] cleanup_module+0x4e/0x540 [cifs] __se_sys_delete_module+0x278/0x400 __x64_sys_delete_module+0x5f/0x70 x64_sys_call+0x2299/0x2ff0 do_syscall_64+0x89/0x350 entry_SYSCALL_64_after_hwframe+0x76/0x7e ... kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x3e/0x50 [cifs] WARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x16b/0x190, CPU#0: modprobe/1577
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3a6d6b332f92990958602c1e35ce0173e2dd62e9Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/743f70406264348c0830f38409eb6c40a42fb2dbPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9ee608a64e37cea5b4b13e436c559dd0fb2ad1b5Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b64e3b5d8d759dd4333992e4ba4dadf9359952c8Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e3a43633023e3cacaca60d4b8972d084a2b06236Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "00623C11-0443-4B37-8CA8-ED9E2C277A00",
              "versionEndExcluding": "6.1.163",
              "versionStartIncluding": "6.1.141",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "256DA482-7687-4432-B13E-8503C2B68F90",
              "versionEndExcluding": "6.6.124",
              "versionStartIncluding": "6.6.93",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "046F65ED-1039-4099-926A-7D989329B28C",
              "versionEndExcluding": "6.12.70",
              "versionStartIncluding": "6.12.31",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A420E6FD-A5EF-4EB6-991E-DA6CB5C3316F",
              "versionEndExcluding": "6.18.10",
              "versionStartIncluding": "6.14.9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*",
              "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/client: fix memory leak in smb2_open_file()\n\nReproducer:\n\n  1. server: directories are exported read-only\n  2. client: mount -t cifs //${server_ip}/export /mnt\n  3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct\n  4. client: umount /mnt\n  5. client: sleep 1\n  6. client: modprobe -r cifs\n\nThe error message is as follows:\n\n  =============================================================================\n  BUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown()\n  -----------------------------------------------------------------------------\n\n  Object 0x00000000d47521be @offset=14336\n  ...\n  WARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x34e/0x440, CPU#0: modprobe/1577\n  ...\n  Call Trace:\n   \u003cTASK\u003e\n   kmem_cache_destroy+0x94/0x190\n   cifs_destroy_request_bufs+0x3e/0x50 [cifs]\n   cleanup_module+0x4e/0x540 [cifs]\n   __se_sys_delete_module+0x278/0x400\n   __x64_sys_delete_module+0x5f/0x70\n   x64_sys_call+0x2299/0x2ff0\n   do_syscall_64+0x89/0x350\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  ...\n  kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x3e/0x50 [cifs]\n  WARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x16b/0x190, CPU#0: modprobe/1577"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nsmb/cliente: corrige una fuga de memoria en smb2_open_file()\n\nReproductor:\n\n  1. servidor: los directorios se exportan de solo lectura\n  2. cliente: mount -t cifs //${server_ip}/export /mnt\n  3. cliente: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct\n  4. cliente: umount /mnt\n  5. cliente: sleep 1\n  6. cliente: modprobe -r cifs\n\nEl mensaje de error es el siguiente:\n\n  =============================================================================\n  BUG cifs_small_rq (No contaminado): Objetos restantes en __kmem_cache_shutdown()\n  -----------------------------------------------------------------------------\n\n  Object 0x00000000d47521be @offset=14336\n  ...\n  ADVERTENCIA: mm/slub.c:1251 en __kmem_cache_shutdown+0x34e/0x440, CPU#0: modprobe/1577\n  ...\n  Traza de Llamada:\n   \n   kmem_cache_destroy+0x94/0x190\n   cifs_destroy_request_bufs+0x3e/0x50 [cifs]\n   cleanup_module+0x4e/0x540 [cifs]\n   __se_sys_delete_module+0x278/0x400\n   __x64_sys_delete_module+0x5f/0x70\n   x64_sys_call+0x2299/0x2ff0\n   do_syscall_64+0x89/0x350\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  ...\n  kmem_cache_destroy cifs_small_rq: La cach\u00e9 de slab a\u00fan tiene objetos cuando se llama desde cifs_destroy_request_bufs+0x3e/0x50 [cifs]\n  ADVERTENCIA: mm/slab_common.c:532 en kmem_cache_destroy+0x16b/0x190, CPU#0: modprobe/1577"
    }
  ],
  "id": "CVE-2026-23205",
  "lastModified": "2026-03-18T17:10:59.223",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-02-14T17:15:58.403",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/3a6d6b332f92990958602c1e35ce0173e2dd62e9"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/743f70406264348c0830f38409eb6c40a42fb2db"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/9ee608a64e37cea5b4b13e436c559dd0fb2ad1b5"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/b64e3b5d8d759dd4333992e4ba4dadf9359952c8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/e3a43633023e3cacaca60d4b8972d084a2b06236"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-401"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.