HIGH
cifs TconFields Race
CVE-2026-43215
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
KernelScan AI5.8MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: cifs: Fix locking usage for tcon fields We used to use the cifs_tcp_ses_lock to protect a lot of objects that are not just the server, ses or tcon lists. We later introduced srv_lock, ses_lock and tc_lock to protect fields within the corresponding structs. This was done to provide a more granular protection and avoid unnecessary serialization. There were still a couple of uses of cifs_tcp_ses_lock to provide tcon fields. In this patch, I've replaced them with tc_lock.
02KernelScan AI Analysis
Risk summary
Local users with low privileges can trigger a race condition in CIFS/SMB client code by accessing tcon (tree connection) reference counts concurrently. This can lead to use-after-free conditions, memory corruption, or kernel crashes when using SMB/CIFS network file shares.
Vulnerability analysis
The vulnerability stems from incorrect locking granularity in the CIFS client code. Several code paths continued to use a coarse-grained global lock (cifs_tcp_ses_lock) to protect per-tcon fields like tc_count, while other paths used the finer-grained per-tcon tc_lock. This creates a race condition where concurrent operations on the same tcon can corrupt the reference count. A lost increment can cause premature object freeing (use-after-free), while a lost decrement can cause memory leaks. The fix replaces the remaining uses of the global lock with tc_lock and ensures consistent reference counting through cifs_put_tcon().
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.75 | 601dd3b79769 |
| 6.18 | 6.18.16 | 3969db6b22e3 |
| 6.19 | 6.19.6 | 8c59eeeeffa1 |
| 6.6 | 6.6.128 | 953953abb66e |
| mainline | 7.0 | 96c4af418586 |