{
  "threat_severity" : "Low",
  "public_date" : "2026-02-14T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: smb/client: fix memory leak in smb2_open_file()",
    "id" : "2439913",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2439913"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-772",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nsmb/client: fix memory leak in smb2_open_file()\nReproducer:\n1. server: directories are exported read-only\n2. client: mount -t cifs //${server_ip}/export /mnt\n3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct\n4. client: umount /mnt\n5. client: sleep 1\n6. client: modprobe -r cifs\nThe error message is as follows:\n=============================================================================\nBUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown()\n-----------------------------------------------------------------------------\nObject 0x00000000d47521be @offset=14336\n...\nWARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x34e/0x440, CPU#0: modprobe/1577\n...\nCall Trace:\n<TASK>\nkmem_cache_destroy+0x94/0x190\ncifs_destroy_request_bufs+0x3e/0x50 [cifs]\ncleanup_module+0x4e/0x540 [cifs]\n__se_sys_delete_module+0x278/0x400\n__x64_sys_delete_module+0x5f/0x70\nx64_sys_call+0x2299/0x2ff0\ndo_syscall_64+0x89/0x350\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n...\nkmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x3e/0x50 [cifs]\nWARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x16b/0x190, CPU#0: modprobe/1577", "A memory leak flaw was found in the Linux kernel's CIFS/SMB client. In the smb2_open_file() function, request buffers are not properly freed when performing direct I/O writes to a read-only SMB share. This causes slab cache objects to remain allocated, which can prevent the cifs module from unloading cleanly and lead to gradual memory exhaustion with repeated operations." ],
  "statement" : "Exploitation requires mounting an SMB share and performing specific I/O patterns (direct writes to read-only exports). The memory leak manifests primarily when unloading the cifs module, making it a reliability issue rather than a readily exploitable denial of service condition.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20095",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.8.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20518",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.5.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20518",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.5.1.el9_7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23205\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23205\nhttps://lore.kernel.org/linux-cve-announce/2026021438-CVE-2026-23205-a62a@gregkh/T" ],
  "name" : "CVE-2026-23205",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the cifs module from being loaded. See https://access.redhat.com/solutions/41278 for instructions on how to blacklist kernel modules.",
    "lang" : "en:us"
  },
  "csaw" : false
}