CVE-2023-53597: cifs: fix mid leak during reconnection after timeout threshold
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix mid leak during reconnection after timeout threshold
When the number of responses with status of STATUS_IO_TIMEOUT
exceeds a specified threshold (NUM_STATUS_IO_TIMEOUT), we reconnect
the connection. But we do not return the mid, or the credits
returned for the mid, or reduce the number of in-flight requests.
This bug could result in the server->in_flight count to go bad,
and also cause a leak in the mids.
This change moves the check to a few lines below where the
response is decrypted, even of the response is read from the
transform header. This way, the code for returning the mids
can be reused.
Also, the cifs_reconnect was reconnecting just the transport
connection before. In case of multi-channel, this may not be
what we want to do after several timeouts. Changed that to
reconnect the session and the tree too.
Also renamed NUM_STATUS_IO_TIMEOUT to a more appropriate name
MAX_STATUS_IO_TIMEOUT.
Security readout for executives and security teams
Plain-English summary
CVE-2023-53597 is a Linux kernel CIFS client bug. After repeated SMB/CIFS I/O timeouts, reconnection handling may fail to return request tracking objects and credits, causing counters and memory state to drift. The business impact is likely availability or stability risk on Linux systems using CIFS mounts.
Executive priority
Treat as a targeted stability issue, not a confirmed emergency. Prioritize patch validation for Linux servers or appliances that depend on CIFS storage, because sustained timeout conditions could degrade service reliability.
Technical view
The flaw is in Linux CIFS response handling during timeout-driven reconnection. The source says mids, credits, and in-flight request accounting were not returned correctly after STATUS_IO_TIMEOUT thresholds, causing mid leaks and bad server->in_flight counts. Stable kernel commits adjust the timeout check and reconnect session/tree handling.
Likely exposure
Exposure appears limited to Linux systems using the CIFS/SMB client, especially hosts with CIFS mounts under timeout or reconnection conditions. The source lists Linux kernel versions/ranges including 5.10, 5.15.150, 6.1.42, 6.4.7, and 6.5 as affected, but distro backport status is not provided.
Exploitation context
The source bundle does not show active exploitation, public exploit availability, or KEV listing. It describes a resolved kernel bug triggered by repeated STATUS_IO_TIMEOUT responses. Evidence is insufficient to classify remote exploitability or attacker control beyond CIFS timeout/reconnection behavior.
Researcher notes
The key uncertainty is impact scope. The CVE text confirms accounting and mid leaks after timeout-threshold reconnection, but does not provide CVSS, CWE, attack prerequisites, or distribution-specific fixed versions. Validate against vendor backports rather than upstream version numbers alone.
Mitigation direction
Identify Linux hosts that use CIFS or SMB client mounts.
Check your Linux distribution advisory for CVE-2023-53597 backport status.
Update affected kernels to builds containing the referenced stable fixes.
Prioritize systems with production CIFS mounts or recurring SMB timeout issues.
Validation and detection
Inventory kernel versions on systems using CIFS mounts.
Confirm vendor kernel packages include the stable CIFS fixes.
Review operational logs for repeated CIFS timeouts and reconnect activity.
Monitor affected hosts for resource leaks or abnormal CIFS client behavior.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-53597 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
5Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Oct 4, 2025, 15:44 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.