CVE-2026-23205 Overview
CVE-2026-23205 is a Memory Leak vulnerability in the Linux kernel's SMB client implementation, specifically within the smb2_open_file() function. This flaw occurs when attempting file operations on read-only exported directories via CIFS mounts, leading to memory objects remaining allocated in the cifs_small_rq slab cache even after the CIFS module is unloaded.
The vulnerability manifests during a specific sequence of operations: mounting a CIFS share with read-only directories, attempting direct I/O write operations, unmounting, and then unloading the CIFS kernel module. This results in kernel warnings about objects remaining in the slab cache during __kmem_cache_shutdown(), indicating improper memory cleanup.
Critical Impact
Memory leak in the Linux kernel CIFS/SMB client can lead to kernel memory exhaustion over time on systems that frequently mount/unmount CIFS shares, potentially causing system instability or denial of service conditions.
Affected Products
- Linux kernel with CIFS/SMB client support enabled
- Systems using mount -t cifs for network file system access
- Linux distributions with SMB2/SMB3 protocol support in the kernel
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-23205 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23205
Vulnerability Analysis
The vulnerability resides in the smb2_open_file() function within the Linux kernel's CIFS client subsystem. When a client attempts to perform write operations (such as direct I/O with dd) to a directory that is exported as read-only from the server, the function allocates memory from the cifs_small_rq kmem cache but fails to properly release these allocations under certain error conditions.
The memory leak becomes evident during module unload, where the kernel's slab allocator detects objects still present in the cifs_small_rq cache. This triggers a BUG warning from __kmem_cache_shutdown() followed by additional warnings from kmem_cache_destroy() in cifs_destroy_request_bufs().
The issue affects systems that:
- Mount CIFS/SMB shares containing read-only directories
- Attempt write operations that fail due to permission restrictions
- Subsequently unmount and unload the CIFS kernel module
Root Cause
The root cause is improper error handling in the smb2_open_file() function. When a file open operation fails (such as when attempting to create a file on a read-only share), the code path does not properly free all allocated request buffers before returning the error. This leaves orphaned objects in the cifs_small_rq slab cache, which persists even after the mount is released.
The specific issue is in the cleanup path where SMB2 request buffers allocated for the open operation are not deallocated when the operation fails due to server-side permission errors.
Attack Vector
The vulnerability can be triggered through normal filesystem operations when CIFS mounts are used with read-only exports. The attack vector involves:
- Establishing a CIFS mount to a server with read-only exported directories
- Attempting direct I/O write operations to the mounted filesystem
- Unmounting the CIFS share
- Unloading the CIFS kernel module
While this is primarily a local vulnerability requiring filesystem access, the memory leak could be exploited to cause denial of service by repeatedly triggering the leak condition without module unloads, gradually exhausting kernel memory.
The vulnerability mechanism involves the following sequence as documented in the kernel bug report:
- Server exports directories as read-only
- Client mounts the share using mount -t cifs //${server_ip}/export /mnt
- Write operation attempted: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct
- Client unmounts: umount /mnt
- Module removal attempted: modprobe -r cifs
At step 5, the kernel reports slab cache objects remaining, with the call trace showing the leak originates from cifs_destroy_request_bufs() during cleanup_module().
Detection Methods for CVE-2026-23205
Indicators of Compromise
- Kernel warning messages containing BUG cifs_small_rq and Objects remaining on __kmem_cache_shutdown()
- Warnings in system logs from mm/slub.c related to __kmem_cache_shutdown
- Error messages stating kmem_cache_destroy cifs_small_rq: Slab cache still has objects
- Increasing memory consumption in systems with frequent CIFS mount/unmount cycles
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for slab cache warnings related to cifs_small_rq
- Track memory allocation patterns in the CIFS subsystem using kernel memory debugging tools
- Implement alerting on WARNING messages from mm/slab_common.c during module unload operations
- Use kernel memory leak detection tools like kmemleak to identify unreleased allocations in CIFS operations
Monitoring Recommendations
- Enable kernel memory debugging options (CONFIG_DEBUG_SLAB, CONFIG_SLUB_DEBUG) in non-production environments to detect leaks early
- Monitor /proc/slabinfo for abnormal growth in cifs_small_rq slab usage
- Implement log aggregation rules to alert on CIFS-related kernel warnings
- Track system memory utilization on servers with heavy CIFS client usage
How to Mitigate CVE-2026-23205
Immediate Actions Required
- Apply the kernel patches from the official Linux kernel git repository
- Update to a patched kernel version containing the fix
- On systems where immediate patching is not possible, avoid frequent CIFS module unload operations
- Monitor affected systems for memory exhaustion symptoms
Patch Information
The Linux kernel maintainers have released patches to address this memory leak vulnerability. The fix ensures proper cleanup of allocated request buffers in the smb2_open_file() function error paths. Multiple commits have been applied to various stable kernel branches:
- Kernel Git Commit #3a6d6b3
- Kernel Git Commit #743f704
- Kernel Git Commit #9ee608a
- Kernel Git Commit #b64e3b5
- Kernel Git Commit #e3a4363
Administrators should update to kernel versions containing these patches through their distribution's package management system.
Workarounds
- Avoid unloading the CIFS kernel module on production systems until patched
- Minimize direct I/O write operations to read-only CIFS mounts
- Use persistent CIFS mounts rather than frequent mount/unmount cycles
- Monitor memory usage and schedule periodic reboots if memory pressure becomes critical
# Check current kernel version
uname -r
# Check if CIFS module is loaded
lsmod | grep cifs
# Monitor slab cache usage for cifs_small_rq
cat /proc/slabinfo | grep cifs_small_rq
# Update kernel on Debian/Ubuntu systems
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
# Update kernel on RHEL/CentOS systems
sudo yum update kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
