Skip to main content

Linux Kernel CVE-2026-43215

| EUVDEUVD-2026-27777 HIGH
Improper Locking (CWE-667)
2026-05-06 Linux GHSA-qhpw-2qgq-68px
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:39 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
8.8 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

cifs: Fix locking usage for tcon fields

We used to use the cifs_tcp_ses_lock to protect a lot of objects that are not just the server, ses or tcon lists. We later introduced srv_lock, ses_lock and tc_lock to protect fields within the corresponding structs. This was done to provide a more granular protection and avoid unnecessary serialization.

There were still a couple of uses of cifs_tcp_ses_lock to provide tcon fields. In this patch, I've replaced them with tc_lock.

AnalysisAI

A race condition in the Linux kernel CIFS (Common Internet File System) implementation allows attackers to exploit improper locking of tcon (tree connection) fields, potentially achieving high confidentiality, integrity, and availability impact. The vulnerability stems from legacy use of cifs_tcp_ses_lock instead of the more granular tc_lock for protecting tcon structure fields, creating synchronization gaps that could be exploited through crafted SMB operations requiring user interaction. Vendor patches are available across multiple stable kernel branches (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0), with EPSS indicating low exploitation probability (0.02%, 5th percentile) and no confirmed active exploitation at time of analysis.

Technical ContextAI

This vulnerability affects the Linux kernel's CIFS client implementation, which handles SMB/CIFS protocol operations for accessing Windows file shares. The issue involves improper synchronization primitives: the code historically relied on a coarse-grained global lock (cifs_tcp_ses_lock) to protect server, session, and tree connection objects. As the codebase evolved, more granular locks (srv_lock, ses_lock, tc_lock) were introduced to reduce lock contention and improve parallelism. However, some code paths continued using the old global lock for tcon field access, creating race windows where concurrent operations could access tcon structure fields without proper mutual exclusion. This represents a classic time-of-check-time-of-use (TOCTOU) race condition in kernel code handling network file system state. The CPE identifiers confirm this affects the mainline Linux kernel codebase tracked from the initial Git import (1da177e4c3f4) through multiple stable branches.

RemediationAI

Update to patched kernel versions: 6.6.128 or later for 6.6.x branch, 6.12.75 or later for 6.12.x branch, 6.18.16 or later for 6.18.x branch, 6.19.6 or later for 6.19.x branch, or 7.0 stable release when available. Upstream fixes are tracked in commits 953953abb66e52c224057ab91e404284fefeab62, 601dd3b79769b38d30b693c40afdb2a4b7edf9d0, 3969db6b22e3d90d8c5f22ac1a7fe0350a94c136, 8c59eeeeffa1524ef57e173a89a1a3ff539888d5, and 96c4af418586ee9a6aab61738644366426e05316 available at https://git.kernel.org/stable/. If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Disable CIFS client support entirely via 'rmmod cifs' and block module loading - this eliminates attack surface but removes all SMB mount capability, impacting users requiring Windows file share access; (2) Restrict CIFS mount operations to root-only via filesystem policy (e.g., remove setuid on mount.cifs helpers) - reduces exposure from user-initiated mounts to untrusted servers but may disrupt workflows where non-privileged users need SMB access; (3) Implement mandatory network access controls blocking SMB/CIFS ports (TCP 445, 139) to untrusted networks - prevents connection to attacker-controlled SMB servers but requires careful firewall rule design to avoid blocking legitimate internal file servers. Each mitigation trades functionality for security; patching remains the recommended solution. Verify fix application by checking kernel version with 'uname -r' and confirming CIFS module version includes the tc_lock corrections.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43215 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy