{
  "threat_severity" : "Low",
  "public_date" : "2025-12-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: smb: client: fix missed ses refcounting",
    "id" : "2425075",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2425075"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-911",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nsmb: client: fix missed ses refcounting\nUse new cifs_smb_ses_inc_refcount() helper to get an active reference\nof @ses and @ses->dfs_root_ses (if set).  This will prevent\n@ses->dfs_root_ses of being put in the next call to cifs_put_smb_ses()\nand thus potentially causing an use-after-free bug.", "A use-after-free vulnerability was found in the Linux kernel's SMB client implementation. When handling SMB sessions with DFS (Distributed File System) root sessions, the code fails to properly increment the reference count for both the session and its dfs_root_ses. This can cause the dfs_root_ses to be freed prematurely in a subsequent cifs_put_smb_ses() call, leading to a use-after-free condition." ],
  "statement" : "This flaw affects systems using the SMB/CIFS client with DFS referrals. The use-after-free can occur during session handling when DFS root sessions are involved. Exploitation requires mounting SMB shares with DFS enabled, which is common in enterprise environments with Windows file servers.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54076\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54076\nhttps://lore.kernel.org/linux-cve-announce/2025122433-CVE-2023-54076-e317@gregkh/T" ],
  "name" : "CVE-2023-54076",
  "csaw" : false
}