Cyber Resilience

CVE-2026-23230

HighUpdated

Published: 18 February 2026

Published
18 February 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0022 12.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23230 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-23230 is a race condition vulnerability in the Linux kernel's SMB client implementation. The issue arises from bitfields in the struct cached_fid—specifically is_open, has_lease, and on_list—being stored in the same byte. Concurrent updates from different code paths trigger read-modify-write (RMW) operations, such as on x86_64, which can restore stale flag values. For example, one CPU might load an old byte value while another clears flags, leading the first CPU's RMW store to reintroduce the cleared bits.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating exploitation over the network with low complexity, no privileges required, but user interaction needed. A remote attacker could exploit this race in the SMB client to achieve high impacts on confidentiality, integrity, and availability, potentially through corrupted SMB file handle states during concurrent operations.

Mitigation involves applying kernel patches from the referenced stable commits, which resolve the issue by converting the shared bitfields to separate bool fields in struct cached_fid, eliminating the RMW races. Relevant commits include 3eaa22d688311c708b73f3c68bc6d0c8e3f0f77a, 4386f6af8aaedd0c5ad6f659b40cadcc8f423828, 4cfa4c37dcbcfd70866e856200ed8a2894cac578, 569fecc56bfe4df66f05734d67daef887746656b, and c4b9edd55987384a1f201d3d07ff71e448d79c1b. Security practitioners should ensure systems with SMB client usage update to kernels incorporating these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: smb: client: split cached_fid bitfields to avoid shared-byte RMW races is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code…

more

paths that may run concurrently. Bitfield assignments generate byte read–modify–write operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can restore stale values of the others. A possible interleaving is: CPU1: load old byte (has_lease=1, on_list=1) CPU2: clear both flags (store 0) CPU1: RMW store (old | IS_OPEN) -> reintroduces cleared bits To avoid this class of races, convert these flags to separate bool fields.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1021.002 SMB/Windows Admin Shares Lateral Movement
Adversaries may use [Valid Accounts](https://attack.
Why these techniques?

Race condition in SMB client enables remote exploitation via malicious SMB server/share, leading to state corruption and high impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-43018Same product: Linux Linux Kernel
CVE-2024-58087Same product: Linux Linux Kernel
CVE-2026-31392Same product: Linux Linux Kernel
CVE-2026-43011Same product: Linux Linux Kernel
CVE-2026-31717Same product: Linux Linux Kernel
CVE-2026-23457Same product: Linux Linux Kernel
CVE-2026-23461Same product: Linux Linux Kernel
CVE-2026-23193Same product: Linux Linux Kernel
CVE-2026-31536Same product: Linux Linux Kernel
CVE-2026-31432Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.1 — 6.1.164 · 6.2 — 6.6.125 · 6.7 — 6.12.72

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, reporting, and correction of flaws, mandating application of the kernel patches that convert shared bitfields to separate bools to eliminate the RMW race condition in the SMB client.

preventdetect

Provides vulnerability scanning and monitoring to identify this high-CVSS kernel SMB client race condition and initiate timely remediation.

prevent

Enforces secure configuration settings for the kernel, including baseline versions incorporating the fixes for the cached_fid bitfield races.

References