In the Linux kernel, the following vulnerability has been resolved:
smb/client: fix memory leak in smb2_open_file()
Reproducer:
1. server: directories are exported read-only
2. client: mount -t cifs //${server_ip}/export /mnt
3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct
4. client: umount /mnt
5. client: sleep 1
6. client: modprobe -r cifs
The error message is as follows:
=============================================================================
BUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown()
-----------------------------------------------------------------------------
Object 0x00000000d47521be @offset=14336
...
WARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x34e/0x440, CPU#0: modprobe/1577
...
Call Trace:
<TASK>
kmem_cache_destroy+0x94/0x190
cifs_destroy_request_bufs+0x3e/0x50 [cifs]
cleanup_module+0x4e/0x540 [cifs]
__se_sys_delete_module+0x278/0x400
__x64_sys_delete_module+0x5f/0x70
x64_sys_call+0x2299/0x2ff0
do_syscall_64+0x89/0x350
entry_SYSCALL_64_after_hwframe+0x76/0x7e
...
kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x3e/0x50 [cifs]
WARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x16b/0x190, CPU#0: modprobe/1577
Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-23205",
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"dateUpdated": "2026-02-14T16:27:28.409Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"datePublished": "2026-02-14T16:27:28.409Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux",
"dateUpdated": "2026-02-14T16:27:28.409Z"
},
"title": "smb/client: fix memory leak in smb2_open_file()",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/client: fix memory leak in smb2_open_file()\n\nReproducer:\n\n 1. server: directories are exported read-only\n 2. client: mount -t cifs //${server_ip}/export /mnt\n 3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct\n 4. client: umount /mnt\n 5. client: sleep 1\n 6. client: modprobe -r cifs\n\nThe error message is as follows:\n\n =============================================================================\n BUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown()\n -----------------------------------------------------------------------------\n\n Object 0x00000000d47521be @offset=14336\n ...\n WARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x34e/0x440, CPU#0: modprobe/1577\n ...\n Call Trace:\n <TASK>\n kmem_cache_destroy+0x94/0x190\n cifs_destroy_request_bufs+0x3e/0x50 [cifs]\n cleanup_module+0x4e/0x540 [cifs]\n __se_sys_delete_module+0x278/0x400\n __x64_sys_delete_module+0x5f/0x70\n x64_sys_call+0x2299/0x2ff0\n do_syscall_64+0x89/0x350\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ...\n kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x3e/0x50 [cifs]\n WARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x16b/0x190, CPU#0: modprobe/1577"
}
],
"affected": [
{
"vendor": "Linux",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"defaultStatus": "unaffected",
"versions": [
{
"version": "17e53a15e64b65623b8f2b1185d27d7b1cbf69ab",
"status": "affected",
"versionType": "git",
"lessThan": "743f70406264348c0830f38409eb6c40a42fb2db"
},
{
"version": "18066188eb90cc0c798f3370a8078a79ddb73f70",
"status": "affected",
"versionType": "git",
"lessThan": "3a6d6b332f92990958602c1e35ce0173e2dd62e9"
},
{
"version": "6ebb9d54eccc8026b386e76eff69364d33373da5",
"status": "affected",
"versionType": "git",
"lessThan": "b64e3b5d8d759dd4333992e4ba4dadf9359952c8"
},
{
"version": "e255612b5ed9f179abe8196df7c2ba09dd227900",
"status": "affected",
"versionType": "git",
"lessThan": "9ee608a64e37cea5b4b13e436c559dd0fb2ad1b5"
},
{
"version": "e255612b5ed9f179abe8196df7c2ba09dd227900",
"status": "affected",
"versionType": "git",
"lessThan": "e3a43633023e3cacaca60d4b8972d084a2b06236"
},
{
"version": "bcd15f06c7e8904116cfb06526bcc189b86aff85",
"status": "affected",
"versionType": "git"
}
]
},
{
"vendor": "Linux",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"defaultStatus": "affected",
"versions": [
{
"version": "6.15",
"status": "affected"
},
{
"version": "0",
"status": "unaffected",
"versionType": "semver",
"lessThan": "6.15"
},
{
"version": "6.1.163",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "6.1.*"
},
{
"version": "6.6.124",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "6.6.*"
},
{
"version": "6.12.70",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "6.12.*"
},
{
"version": "6.18.10",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "6.18.*"
},
{
"version": "6.19",
"status": "unaffected",
"versionType": "original_commit_for_fix",
"lessThanOrEqual": "*"
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/743f70406264348c0830f38409eb6c40a42fb2db"
},
{
"url": "https://git.kernel.org/stable/c/3a6d6b332f92990958602c1e35ce0173e2dd62e9"
},
{
"url": "https://git.kernel.org/stable/c/b64e3b5d8d759dd4333992e4ba4dadf9359952c8"
},
{
"url": "https://git.kernel.org/stable/c/9ee608a64e37cea5b4b13e436c559dd0fb2ad1b5"
},
{
"url": "https://git.kernel.org/stable/c/e3a43633023e3cacaca60d4b8972d084a2b06236"
}
]
}
}
}