CVE-2023-54258: cifs: fix potential oops in cifs_oplock_break
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix potential oops in cifs_oplock_break
With deferred close we can have closes that race with lease breaks,
and so with the current checks for whether to send the lease response,
oplock_response(), this can mean that an unmount (kill_sb) can occur
just before we were checking if the tcon->ses is valid. See below:
[Fri Aug 4 04:12:50 2023] RIP: 0010:cifs_oplock_break+0x1f7/0x5b0 [cifs]
[Fri Aug 4 04:12:50 2023] Code: 7d a8 48 8b 7d c0 c0 e9 02 48 89 45 b8 41 89 cf e8 3e f5 ff ff 4c 89 f7 41 83 e7 01 e8 82 b3 03 f2 49 8b 45 50 48 85 c0 74 5e <48> 83 78 60 00 74 57 45 84 ff 75 52 48 8b 43 98 48 83 eb 68 48 39
[Fri Aug 4 04:12:50 2023] RSP: 0018:ffffb30607ddbdf8 EFLAGS: 00010206
[Fri Aug 4 04:12:50 2023] RAX: 632d223d32612022 RBX: ffff97136944b1e0 RCX: 0000000080100009
[Fri Aug 4 04:12:50 2023] RDX: 0000000000000001 RSI: 0000000080100009 RDI: ffff97136944b188
[Fri Aug 4 04:12:50 2023] RBP: ffffb30607ddbe58 R08: 0000000000000001 R09: ffffffffc08e0900
[Fri Aug 4 04:12:50 2023] R10: 0000000000000001 R11: 000000000000000f R12: ffff97136944b138
[Fri Aug 4 04:12:50 2023] R13: ffff97149147c000 R14: ffff97136944b188 R15: 0000000000000000
[Fri Aug 4 04:12:50 2023] FS: 0000000000000000(0000) GS:ffff9714f7c00000(0000) knlGS:0000000000000000
[Fri Aug 4 04:12:50 2023] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[Fri Aug 4 04:12:50 2023] CR2: 00007fd8de9c7590 CR3: 000000011228e000 CR4: 0000000000350ef0
[Fri Aug 4 04:12:50 2023] Call Trace:
[Fri Aug 4 04:12:50 2023] <TASK>
[Fri Aug 4 04:12:50 2023] process_one_work+0x225/0x3d0
[Fri Aug 4 04:12:50 2023] worker_thread+0x4d/0x3e0
[Fri Aug 4 04:12:50 2023] ? process_one_work+0x3d0/0x3d0
[Fri Aug 4 04:12:50 2023] kthread+0x12a/0x150
[Fri Aug 4 04:12:50 2023] ? set_kthread_struct+0x50/0x50
[Fri Aug 4 04:12:50 2023] ret_from_fork+0x22/0x30
[Fri Aug 4 04:12:50 2023] </TASK>
To fix this change the ordering of the checks before sending the oplock_response
to first check if the openFileList is empty.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel CIFS/SMB client bug that can trigger a kernel oops during a race between closing SMB files, lease breaks, and unmounting. The practical concern is availability: affected systems using CIFS mounts could crash or become unstable. The sources do not provide CVSS, broad distro mapping, or exploitation evidence.
Executive priority
Treat this as a targeted availability risk for Linux systems using CIFS mounts, not as a confirmed internet-wide emergency. Patch through normal kernel maintenance, with higher priority for file-sharing, backup, virtualization, and application hosts dependent on SMB shares.
Technical view
The vulnerable path is cifs_oplock_break. Deferred close can race with lease-break handling and unmount teardown, leaving tcon->ses validity checks reached in an unsafe order before oplock_response. The fix reorders checks so the openFileList is checked before sending the lease response. Stable kernel commits are referenced as fixes.
Likely exposure
Exposure is most relevant to Linux systems that mount SMB/CIFS shares using the kernel CIFS client. Exact affected distribution packages and kernel ranges are not fully established in the provided sources, so teams should map vendor kernels to the cited stable fixes.
Exploitation context
CISA KEV status is false in the provided bundle, and no cited source reports active exploitation. The source material describes a race condition causing a kernel oops, not a public exploit chain or privilege escalation path.
Researcher notes
The evidence supports a race-triggered kernel oops in CIFS lease-break handling. The bundle lacks CVSS, CWE, distro-specific affected ranges, and exploit reporting. Research should focus on mapping downstream backports, reproducing the oops safely in test environments, and confirming fixed commit presence.
Mitigation direction
Apply vendor kernel updates containing the referenced CIFS stable fixes.
Check Linux distribution advisories for backported fixes and affected package versions.
Prioritize hosts that rely on CIFS mounts for critical workloads.
Reboot into the fixed kernel after patching where required by vendor guidance.
Avoid treating SMB service configuration changes as a substitute for the kernel fix.
Validation and detection
Inventory Linux hosts using CIFS or SMB kernel mounts.
Record running kernel versions and vendor package release levels.
Compare installed kernels against vendor advisories and cited stable commits.
Review kernel logs for cifs_oplock_break oops events.
Regression-test representative CIFS mount, close, lease-break, and unmount workflows.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-54258 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
5Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Dec 30, 2025, 12:15 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.