CVE-2026-23230
Published: 18 February 2026
Summary
CVE-2026-23230 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-23230 is a race condition vulnerability in the Linux kernel's SMB client implementation. The issue arises from bitfields in the struct cached_fid—specifically is_open, has_lease, and on_list—being stored in the same byte. Concurrent updates from different code paths trigger read-modify-write (RMW) operations, such as on x86_64, which can restore stale flag values. For example, one CPU might load an old byte value while another clears flags, leading the first CPU's RMW store to reintroduce the cleared bits.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating exploitation over the network with low complexity, no privileges required, but user interaction needed. A remote attacker could exploit this race in the SMB client to achieve high impacts on confidentiality, integrity, and availability, potentially through corrupted SMB file handle states during concurrent operations.
Mitigation involves applying kernel patches from the referenced stable commits, which resolve the issue by converting the shared bitfields to separate bool fields in struct cached_fid, eliminating the RMW races. Relevant commits include 3eaa22d688311c708b73f3c68bc6d0c8e3f0f77a, 4386f6af8aaedd0c5ad6f659b40cadcc8f423828, 4cfa4c37dcbcfd70866e856200ed8a2894cac578, 569fecc56bfe4df66f05734d67daef887746656b, and c4b9edd55987384a1f201d3d07ff71e448d79c1b. Security practitioners should ensure systems with SMB client usage update to kernels incorporating these fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7671
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: smb: client: split cached_fid bitfields to avoid shared-byte RMW races is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code…
more
paths that may run concurrently. Bitfield assignments generate byte read–modify–write operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can restore stale values of the others. A possible interleaving is: CPU1: load old byte (has_lease=1, on_list=1) CPU2: clear both flags (store 0) CPU1: RMW store (old | IS_OPEN) -> reintroduces cleared bits To avoid this class of races, convert these flags to separate bool fields.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Race condition in SMB client enables remote exploitation via malicious SMB server/share, leading to state corruption and high impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identification, reporting, and correction of flaws, mandating application of the kernel patches that convert shared bitfields to separate bools to eliminate the RMW race condition in the SMB client.
Provides vulnerability scanning and monitoring to identify this high-CVSS kernel SMB client race condition and initiate timely remediation.
Enforces secure configuration settings for the kernel, including baseline versions incorporating the fixes for the cached_fid bitfield races.