CVE-2026-23205 in Linux
Summary
by MITRE • 02/14/2026
In the Linux kernel, the following vulnerability has been resolved:
smb/client: fix memory leak in smb2_open_file()
Reproducer:
1. server: directories are exported read-only 2. client: mount -t cifs //${server_ip}/export /mnt
3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct 4. client: umount /mnt 5. client: sleep 1 6. client: modprobe -r cifs
The error message is as follows:
============================================================================= BUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown() -----------------------------------------------------------------------------
Object 0x00000000d47521be @offset=14336 ... WARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x34e/0x440, CPU#0: modprobe/1577 ... Call Trace: <TASK> kmem_cache_destroy+0x94/0x190 cifs_destroy_request_bufs+0x3e/0x50 [cifs]
cleanup_module+0x4e/0x540 [cifs]
__se_sys_delete_module+0x278/0x400 __x64_sys_delete_module+0x5f/0x70 x64_sys_call+0x2299/0x2ff0 do_syscall_64+0x89/0x350 entry_SYSCALL_64_after_hwframe+0x76/0x7e ... kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x3e/0x50 [cifs]
WARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x16b/0x190, CPU#0: modprobe/1577
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/24/2026
The vulnerability CVE-2026-23205 represents a memory leak within the Linux kernel's CIFS (Common Internet File System) client implementation, specifically in the smb2_open_file() function. This issue manifests as a failure in proper memory deallocation when the cifs kernel module is unloaded, resulting in objects remaining in the SLUB memory allocator even after the module has been removed. The problem occurs during the normal operation of mounting CIFS shares and performing direct I/O operations, making it particularly concerning for systems that frequently mount and unmount CIFS resources.
The technical flaw stems from improper memory management within the CIFS client subsystem where allocated memory buffers are not correctly freed when the module is unloaded. The error message indicates that objects remain in the cifs_small_rq slab cache during module cleanup, which directly violates kernel memory management principles and can lead to resource exhaustion over time. This memory leak is triggered by the sequence of operations involving mounting a read-only CIFS share, performing direct I/O operations with dd command, unmounting the filesystem, and then removing the cifs module. The root cause lies in the cleanup routine cifs_destroy_request_bufs() which fails to properly release all allocated memory structures before the kernel attempts to destroy the memory caches.
The operational impact of this vulnerability extends beyond simple memory consumption, as it can lead to system instability and performance degradation in environments that frequently interact with CIFS shares. When the cifs module is repeatedly loaded and unloaded, the accumulation of leaked memory can eventually cause memory pressure that affects overall system performance. The vulnerability is particularly dangerous in server environments where CIFS mounts are common and automated processes may repeatedly mount and unmount shares. This type of memory leak can also contribute to system crashes or unexpected behavior when the kernel's memory management subsystem becomes overwhelmed by unreleased memory objects. The issue aligns with CWE-401: Improper Release of Memory and can be categorized under ATT&CK technique T1490: Inhibit System Recovery, as it can lead to resource exhaustion that impacts system availability.
Mitigation strategies for this vulnerability include applying the kernel patch that resolves the memory leak in the smb2_open_file() function, ensuring all CIFS operations properly clean up allocated resources before module unloading, and monitoring for memory leaks in production environments. System administrators should avoid frequent loading and unloading of the cifs module when possible, and implement proper resource management practices. The fix typically involves ensuring that all allocated memory buffers are properly freed in the cleanup path of the module, particularly those associated with the cifs_small_rq cache. Organizations should also consider implementing automated monitoring for memory leaks in kernel modules and establish procedures for timely kernel updates to address such vulnerabilities. Additionally, the vulnerability demonstrates the importance of proper memory management in kernel space and the need for thorough testing of module cleanup routines, especially in network filesystem implementations that handle complex I/O operations.