Linux Kernel SMB Client RMW Race via Shared Bitfield
CVE-2026-23230 Published on February 18, 2026
smb: client: split cached_fid bitfields to avoid shared-byte RMW races
In the Linux kernel, the following vulnerability has been resolved:
smb: client: split cached_fid bitfields to avoid shared-byte RMW races
is_open, has_lease and on_list are stored in the same bitfield byte in
struct cached_fid but are updated in different code paths that may run
concurrently. Bitfield assignments generate byte readmodifywrite
operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can
restore stale values of the others.
A possible interleaving is:
CPU1: load old byte (has_lease=1, on_list=1)
CPU2: clear both flags (store 0)
CPU1: RMW store (old | IS_OPEN) -> reintroduces cleared bits
To avoid this class of races, convert these flags to separate bool
fields.
Products Associated with CVE-2026-23230
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-23230 are published in Linux Kernel:
Affected Versions
Linux:- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 569fecc56bfe4df66f05734d67daef887746656b is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 4386f6af8aaedd0c5ad6f659b40cadcc8f423828 is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 3eaa22d688311c708b73f3c68bc6d0c8e3f0f77a is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below c4b9edd55987384a1f201d3d07ff71e448d79c1b is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 4cfa4c37dcbcfd70866e856200ed8a2894cac578 is affected.
- Version 6.1.164, <= 6.1.* is unaffected.
- Version 6.6.125, <= 6.6.* is unaffected.
- Version 6.12.72, <= 6.12.* is unaffected.
- Version 6.18.11, <= 6.18.* is unaffected.
- Version 6.19.1, <= 6.19.* is unaffected.