LiveActive security incident?Get immediate response
CVE Record

CVE-2023-54258: cifs: fix potential oops in cifs_oplock_break

In the Linux kernel, the following vulnerability has been resolved: cifs: fix potential oops in cifs_oplock_break With deferred close we can have closes that race with lease breaks, and so with the current checks for whether to send the lease response, oplock_response(), this can mean that an unmount (kill_sb) can occur just before we were checking if the tcon->ses is valid. See below: [Fri Aug 4 04:12:50 2023] RIP: 0010:cifs_oplock_break+0x1f7/0x5b0 [cifs] [Fri Aug 4 04:12:50 2023] Code: 7d a8 48 8b 7d c0 c0 e9 02 48 89 45 b8 41 89 cf e8 3e f5 ff ff 4c 89 f7 41 83 e7 01 e8 82 b3 03 f2 49 8b 45 50 48 85 c0 74 5e <48> 83 78 60 00 74 57 45 84 ff 75 52 48 8b 43 98 48 83 eb 68 48 39 [Fri Aug 4 04:12:50 2023] RSP: 0018:ffffb30607ddbdf8 EFLAGS: 00010206 [Fri Aug 4 04:12:50 2023] RAX: 632d223d32612022 RBX: ffff97136944b1e0 RCX: 0000000080100009 [Fri Aug 4 04:12:50 2023] RDX: 0000000000000001 RSI: 0000000080100009 RDI: ffff97136944b188 [Fri Aug 4 04:12:50 2023] RBP: ffffb30607ddbe58 R08: 0000000000000001 R09: ffffffffc08e0900 [Fri Aug 4 04:12:50 2023] R10: 0000000000000001 R11: 000000000000000f R12: ffff97136944b138 [Fri Aug 4 04:12:50 2023] R13: ffff97149147c000 R14: ffff97136944b188 R15: 0000000000000000 [Fri Aug 4 04:12:50 2023] FS: 0000000000000000(0000) GS:ffff9714f7c00000(0000) knlGS:0000000000000000 [Fri Aug 4 04:12:50 2023] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [Fri Aug 4 04:12:50 2023] CR2: 00007fd8de9c7590 CR3: 000000011228e000 CR4: 0000000000350ef0 [Fri Aug 4 04:12:50 2023] Call Trace: [Fri Aug 4 04:12:50 2023] <TASK> [Fri Aug 4 04:12:50 2023] process_one_work+0x225/0x3d0 [Fri Aug 4 04:12:50 2023] worker_thread+0x4d/0x3e0 [Fri Aug 4 04:12:50 2023] ? process_one_work+0x3d0/0x3d0 [Fri Aug 4 04:12:50 2023] kthread+0x12a/0x150 [Fri Aug 4 04:12:50 2023] ? set_kthread_struct+0x50/0x50 [Fri Aug 4 04:12:50 2023] ret_from_fork+0x22/0x30 [Fri Aug 4 04:12:50 2023] </TASK> To fix this change the ordering of the checks before sending the oplock_response to first check if the openFileList is empty.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel CIFS/SMB client bug that can trigger a kernel oops during a race between closing SMB files, lease breaks, and unmounting. The practical concern is availability: affected systems using CIFS mounts could crash or become unstable. The sources do not provide CVSS, broad distro mapping, or exploitation evidence.

Executive priority

Treat this as a targeted availability risk for Linux systems using CIFS mounts, not as a confirmed internet-wide emergency. Patch through normal kernel maintenance, with higher priority for file-sharing, backup, virtualization, and application hosts dependent on SMB shares.

Technical view

The vulnerable path is cifs_oplock_break. Deferred close can race with lease-break handling and unmount teardown, leaving tcon->ses validity checks reached in an unsafe order before oplock_response. The fix reorders checks so the openFileList is checked before sending the lease response. Stable kernel commits are referenced as fixes.

Likely exposure

Exposure is most relevant to Linux systems that mount SMB/CIFS shares using the kernel CIFS client. Exact affected distribution packages and kernel ranges are not fully established in the provided sources, so teams should map vendor kernels to the cited stable fixes.

Exploitation context

CISA KEV status is false in the provided bundle, and no cited source reports active exploitation. The source material describes a race condition causing a kernel oops, not a public exploit chain or privilege escalation path.

Researcher notes

The evidence supports a race-triggered kernel oops in CIFS lease-break handling. The bundle lacks CVSS, CWE, distro-specific affected ranges, and exploit reporting. Research should focus on mapping downstream backports, reproducing the oops safely in test environments, and confirming fixed commit presence.

Mitigation direction

  • Apply vendor kernel updates containing the referenced CIFS stable fixes.
  • Check Linux distribution advisories for backported fixes and affected package versions.
  • Prioritize hosts that rely on CIFS mounts for critical workloads.
  • Reboot into the fixed kernel after patching where required by vendor guidance.
  • Avoid treating SMB service configuration changes as a substitute for the kernel fix.

Validation and detection

  • Inventory Linux hosts using CIFS or SMB kernel mounts.
  • Record running kernel versions and vendor package release levels.
  • Compare installed kernels against vendor advisories and cited stable commits.
  • Review kernel logs for cifs_oplock_break oops events.
  • Regression-test representative CIFS mount, close, lease-break, and unmount workflows.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2023-54258 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
5Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux63fb45ddc491895c4b36664e0c2c3b548545ae93, 1bf709b9625001eefdd41048c5f4c7544ee33394, 3b4c15171c3ce9120c81f5564b9367d8d0f4219c, da787d5b74983f7525d1eb4b9c0b4aff2821511a, cff7fb969edaeff2bc80c8a8f7cf7b0c8df32da7, 6.3.13unaffected
LinuxLinux5.15.121, 6.1.39, 6.4.4unaffected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.