CVE-2023-52751: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in smb2_query_info_compound() The following UAF was triggered when running fstests generic/072 with KASAN enabled against Windows Server 2022 and mount options 'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm' BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs] Read of size 8 at addr ffff888014941048 by task xfs_io/27534 CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 Call Trace: dump_stack_lvl+0x4a/0x80 print_report+0xcf/0x650 ? srso_alias_return_thunk+0x5/0x7f ? srso_alias_return_thunk+0x5/0x7f ? __phys_addr+0x46/0x90 kasan_report+0xda/0x110 ? smb2_query_info_compound+0x423/0x6d0 [cifs] ? smb2_query_info_compound+0x423/0x6d0 [cifs] smb2_query_info_compound+0x423/0x6d0 [cifs] ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0x7f ? __stack_depot_save+0x39/0x480 ? kasan_save_stack+0x33/0x60 ? kasan_set_track+0x25/0x30 ? ____kasan_slab_free+0x126/0x170 smb2_queryfs+0xc2/0x2c0 [cifs] ? __pfx_smb2_queryfs+0x10/0x10 [cifs] ? __pfx___lock_acquire+0x10/0x10 smb311_queryfs+0x210/0x220 [cifs] ? __pfx_smb311_queryfs+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0x7f ? __lock_acquire+0x480/0x26c0 ? lock_release+0x1ed/0x640 ? srso_alias_return_thunk+0x5/0x7f ? do_raw_spin_unlock+0x9b/0x100 cifs_statfs+0x18c/0x4b0 [cifs] statfs_by_dentry+0x9b/0xf0 fd_statfs+0x4e/0xb0 __do_sys_fstatfs+0x7f/0xe0 ? __pfx___do_sys_fstatfs+0x10/0x10 ? srso_alias_return_thunk+0x5/0x7f ? lockdep_hardirqs_on_prepare+0x136/0x200 ? srso_alias_return_thunk+0x5/0x7f do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Allocated by task 27534: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 __kasan_kmalloc+0x8f/0xa0 open_cached_dir+0x71b/0x1240 [cifs] smb2_query_info_compound+0x5c3/0x6d0 [cifs] smb2_queryfs+0xc2/0x2c0 [cifs] smb311_queryfs+0x210/0x220 [cifs] cifs_statfs+0x18c/0x4b0 [cifs] statfs_by_dentry+0x9b/0xf0 fd_statfs+0x4e/0xb0 __do_sys_fstatfs+0x7f/0xe0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 27534: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2b/0x50 ____kasan_slab_free+0x126/0x170 slab_free_freelist_hook+0xd0/0x1e0 __kmem_cache_free+0x9d/0x1b0 open_cached_dir+0xff5/0x1240 [cifs] smb2_query_info_compound+0x5c3/0x6d0 [cifs] smb2_queryfs+0xc2/0x2c0 [cifs] This is a race between open_cached_dir() and cached_dir_lease_break() where the cache entry for the open directory handle receives a lease break while creating it. And before returning from open_cached_dir(), we put the last reference of the new @cfid because of !@cfid->has_lease. Besides the UAF, while running xfstests a lot of missed lease breaks have been noticed in tests that run several concurrent statfs(2) calls on those cached fids CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame... CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1... CIFS: VFS: \\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108 CIFS: VFS: Dump pending requests: CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame... CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1... CIFS: VFS: \\w22-root1.gandalf.test smb buf 000000005aa7316e len 108 ... To fix both, in open_cached_dir() ensure that @cfid->has_lease is set right before sending out compounded request so that any potential lease break will be get processed by demultiplex thread while we're still caching @cfid. And, if open failed for some reason, re-check @cfid->has_lease to decide whether or not put lease reference.
AI Analysis
Technical Summary
CVE-2023-52751 is a use-after-free (UAF) vulnerability identified in the Linux kernel's CIFS (Common Internet File System) client implementation, specifically within the smb2_query_info_compound() function. This vulnerability arises due to a race condition between the open_cached_dir() and cached_dir_lease_break() functions. The issue manifests when the cache entry for an open directory handle receives a lease break while it is being created. Before open_cached_dir() returns, it may incorrectly release the last reference to the new cached file identifier (cfid) if the lease status (@cfid->has_lease) is not properly set, leading to a use-after-free condition. This flaw was detected during testing with KASAN (Kernel Address Sanitizer) enabled, particularly when mounting Windows Server 2022 shares with specific mount options (multichannel, max_channels=2, SMB version 3.1.1, mfsymlinks, noperm). The kernel logs show slab-use-after-free errors triggered by concurrent statfs(2) system calls, indicating that multiple threads accessing cached directory handles can cause the vulnerability to surface. The root cause is that lease breaks can be missed or processed incorrectly due to improper synchronization and reference counting in the caching mechanism. The fix involves ensuring that the lease flag (@cfid->has_lease) is set before sending compounded SMB requests, allowing the demultiplex thread to process any lease breaks while the cfid is still cached. Additionally, if the open operation fails, the code rechecks the lease status to decide whether to release the lease reference, preventing premature freeing of resources. This vulnerability affects Linux kernel versions containing the affected commit (1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) and potentially other versions with similar CIFS client implementations. No known exploits are reported in the wild as of the publication date (May 21, 2024).
Potential Impact
For European organizations, this vulnerability poses a significant risk in environments where Linux clients mount SMB shares from Windows servers or other SMB-compatible file servers, especially using CIFS with SMB 3.1.1 protocol. The use-after-free condition can lead to kernel crashes (denial of service) or potentially allow attackers to execute arbitrary code with kernel privileges if exploited, compromising system confidentiality, integrity, and availability. Organizations relying on Linux-based file servers, NAS devices, or workstations that access Windows shares are particularly at risk. The vulnerability could disrupt critical file sharing services, impacting business continuity and data access. Given the complexity of the race condition, exploitation may require specific timing and conditions, but the presence of concurrent statfs calls in typical workloads increases the likelihood of triggering the flaw unintentionally, leading to system instability. This is especially relevant for enterprises with mixed OS environments common in Europe, where SMB is widely used for file sharing. The lack of known exploits suggests that active exploitation is not yet prevalent, but the potential impact warrants prompt mitigation to prevent future attacks or accidental outages.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2023-52751 as soon as they become available from trusted Linux distributions or the kernel mainline. 2. Temporarily avoid mounting SMB shares with the specific options that trigger the vulnerability (e.g., multichannel, max_channels=2, SMB version 3.1.1) until patches are applied. 3. Monitor kernel logs for KASAN or slab-use-after-free warnings related to CIFS to detect potential exploitation or instability. 4. Implement strict access controls and network segmentation to limit SMB traffic to trusted hosts and reduce exposure. 5. For critical systems, consider using alternative file sharing protocols or SMB versions less affected by this issue until patched. 6. Conduct thorough testing of SMB client mounts in controlled environments to identify any instability or crashes related to this vulnerability. 7. Educate system administrators about the risks and signs of exploitation or system crashes related to CIFS mounts. 8. Maintain up-to-date backups and recovery plans to mitigate potential data loss from system crashes caused by this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2023-52751: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in smb2_query_info_compound() The following UAF was triggered when running fstests generic/072 with KASAN enabled against Windows Server 2022 and mount options 'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm' BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs] Read of size 8 at addr ffff888014941048 by task xfs_io/27534 CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 Call Trace: dump_stack_lvl+0x4a/0x80 print_report+0xcf/0x650 ? srso_alias_return_thunk+0x5/0x7f ? srso_alias_return_thunk+0x5/0x7f ? __phys_addr+0x46/0x90 kasan_report+0xda/0x110 ? smb2_query_info_compound+0x423/0x6d0 [cifs] ? smb2_query_info_compound+0x423/0x6d0 [cifs] smb2_query_info_compound+0x423/0x6d0 [cifs] ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0x7f ? __stack_depot_save+0x39/0x480 ? kasan_save_stack+0x33/0x60 ? kasan_set_track+0x25/0x30 ? ____kasan_slab_free+0x126/0x170 smb2_queryfs+0xc2/0x2c0 [cifs] ? __pfx_smb2_queryfs+0x10/0x10 [cifs] ? __pfx___lock_acquire+0x10/0x10 smb311_queryfs+0x210/0x220 [cifs] ? __pfx_smb311_queryfs+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0x7f ? __lock_acquire+0x480/0x26c0 ? lock_release+0x1ed/0x640 ? srso_alias_return_thunk+0x5/0x7f ? do_raw_spin_unlock+0x9b/0x100 cifs_statfs+0x18c/0x4b0 [cifs] statfs_by_dentry+0x9b/0xf0 fd_statfs+0x4e/0xb0 __do_sys_fstatfs+0x7f/0xe0 ? __pfx___do_sys_fstatfs+0x10/0x10 ? srso_alias_return_thunk+0x5/0x7f ? lockdep_hardirqs_on_prepare+0x136/0x200 ? srso_alias_return_thunk+0x5/0x7f do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Allocated by task 27534: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 __kasan_kmalloc+0x8f/0xa0 open_cached_dir+0x71b/0x1240 [cifs] smb2_query_info_compound+0x5c3/0x6d0 [cifs] smb2_queryfs+0xc2/0x2c0 [cifs] smb311_queryfs+0x210/0x220 [cifs] cifs_statfs+0x18c/0x4b0 [cifs] statfs_by_dentry+0x9b/0xf0 fd_statfs+0x4e/0xb0 __do_sys_fstatfs+0x7f/0xe0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 27534: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2b/0x50 ____kasan_slab_free+0x126/0x170 slab_free_freelist_hook+0xd0/0x1e0 __kmem_cache_free+0x9d/0x1b0 open_cached_dir+0xff5/0x1240 [cifs] smb2_query_info_compound+0x5c3/0x6d0 [cifs] smb2_queryfs+0xc2/0x2c0 [cifs] This is a race between open_cached_dir() and cached_dir_lease_break() where the cache entry for the open directory handle receives a lease break while creating it. And before returning from open_cached_dir(), we put the last reference of the new @cfid because of !@cfid->has_lease. Besides the UAF, while running xfstests a lot of missed lease breaks have been noticed in tests that run several concurrent statfs(2) calls on those cached fids CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame... CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1... CIFS: VFS: \\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108 CIFS: VFS: Dump pending requests: CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame... CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1... CIFS: VFS: \\w22-root1.gandalf.test smb buf 000000005aa7316e len 108 ... To fix both, in open_cached_dir() ensure that @cfid->has_lease is set right before sending out compounded request so that any potential lease break will be get processed by demultiplex thread while we're still caching @cfid. And, if open failed for some reason, re-check @cfid->has_lease to decide whether or not put lease reference.
AI-Powered Analysis
Technical Analysis
CVE-2023-52751 is a use-after-free (UAF) vulnerability identified in the Linux kernel's CIFS (Common Internet File System) client implementation, specifically within the smb2_query_info_compound() function. This vulnerability arises due to a race condition between the open_cached_dir() and cached_dir_lease_break() functions. The issue manifests when the cache entry for an open directory handle receives a lease break while it is being created. Before open_cached_dir() returns, it may incorrectly release the last reference to the new cached file identifier (cfid) if the lease status (@cfid->has_lease) is not properly set, leading to a use-after-free condition. This flaw was detected during testing with KASAN (Kernel Address Sanitizer) enabled, particularly when mounting Windows Server 2022 shares with specific mount options (multichannel, max_channels=2, SMB version 3.1.1, mfsymlinks, noperm). The kernel logs show slab-use-after-free errors triggered by concurrent statfs(2) system calls, indicating that multiple threads accessing cached directory handles can cause the vulnerability to surface. The root cause is that lease breaks can be missed or processed incorrectly due to improper synchronization and reference counting in the caching mechanism. The fix involves ensuring that the lease flag (@cfid->has_lease) is set before sending compounded SMB requests, allowing the demultiplex thread to process any lease breaks while the cfid is still cached. Additionally, if the open operation fails, the code rechecks the lease status to decide whether to release the lease reference, preventing premature freeing of resources. This vulnerability affects Linux kernel versions containing the affected commit (1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) and potentially other versions with similar CIFS client implementations. No known exploits are reported in the wild as of the publication date (May 21, 2024).
Potential Impact
For European organizations, this vulnerability poses a significant risk in environments where Linux clients mount SMB shares from Windows servers or other SMB-compatible file servers, especially using CIFS with SMB 3.1.1 protocol. The use-after-free condition can lead to kernel crashes (denial of service) or potentially allow attackers to execute arbitrary code with kernel privileges if exploited, compromising system confidentiality, integrity, and availability. Organizations relying on Linux-based file servers, NAS devices, or workstations that access Windows shares are particularly at risk. The vulnerability could disrupt critical file sharing services, impacting business continuity and data access. Given the complexity of the race condition, exploitation may require specific timing and conditions, but the presence of concurrent statfs calls in typical workloads increases the likelihood of triggering the flaw unintentionally, leading to system instability. This is especially relevant for enterprises with mixed OS environments common in Europe, where SMB is widely used for file sharing. The lack of known exploits suggests that active exploitation is not yet prevalent, but the potential impact warrants prompt mitigation to prevent future attacks or accidental outages.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2023-52751 as soon as they become available from trusted Linux distributions or the kernel mainline. 2. Temporarily avoid mounting SMB shares with the specific options that trigger the vulnerability (e.g., multichannel, max_channels=2, SMB version 3.1.1) until patches are applied. 3. Monitor kernel logs for KASAN or slab-use-after-free warnings related to CIFS to detect potential exploitation or instability. 4. Implement strict access controls and network segmentation to limit SMB traffic to trusted hosts and reduce exposure. 5. For critical systems, consider using alternative file sharing protocols or SMB versions less affected by this issue until patched. 6. Conduct thorough testing of SMB client mounts in controlled environments to identify any instability or crashes related to this vulnerability. 7. Educate system administrators about the risks and signs of exploitation or system crashes related to CIFS mounts. 8. Maintain up-to-date backups and recovery plans to mitigate potential data loss from system crashes caused by this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T15:19:24.234Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9830c4522896dcbe7471
Added to database: 5/21/2025, 9:09:04 AM
Last enriched: 7/1/2025, 6:25:40 AM
Last updated: 8/1/2025, 11:31:10 AM
Views: 17
Related Threats
CVE-2025-8927: Improper Restriction of Excessive Authentication Attempts in mtons mblog
MediumCVE-2025-43988: n/a
CriticalCVE-2025-8926: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-43986: n/a
CriticalCVE-2025-43982: n/a
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.