CVE-2026-23113
Unknown Unknown - Not Provided
io_uring io-wq Exit Loop Hang Causing Kernel Task Block

Publication date: 2026-02-14

Last updated on: 2026-04-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop Currently this is checked before running the pending work. Normally this is quite fine, as work items either end up blocking (which will create a new worker for other items), or they complete fairly quickly. But syzbot reports an issue where io-wq takes seemingly forever to exit, and with a bit of debugging, this turns out to be because it queues a bunch of big (2GB - 4096b) reads with a /dev/msr* file. Since this file type doesn't support ->read_iter(), loop_rw_iter() ends up handling them. Each read returns 16MB of data read, which takes 20 (!!) seconds. With a bunch of these pending, processing the whole chain can take a long time. Easily longer than the syzbot uninterruptible sleep timeout of 140 seconds. This then triggers a complaint off the io-wq exit path: INFO: task syz.4.135:6326 blocked for more than 143 seconds. Not tainted syzkaller #0 Blocked by coredump. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.4.135 state:D stack:26824 pid:6326 tgid:6324 ppid:5957 task_flags:0x400548 flags:0x00080000 Call Trace: <TASK> context_switch kernel/sched/core.c:5256 [inline] __schedule+0x1139/0x6150 kernel/sched/core.c:6863 __schedule_loop kernel/sched/core.c:6945 [inline] schedule+0xe7/0x3a0 kernel/sched/core.c:6960 schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75 do_wait_for_common kernel/sched/completion.c:100 [inline] __wait_for_common+0x2fc/0x4e0 kernel/sched/completion.c:121 io_wq_exit_workers io_uring/io-wq.c:1328 [inline] io_wq_put_and_exit+0x271/0x8a0 io_uring/io-wq.c:1356 io_uring_clean_tctx+0x10d/0x190 io_uring/tctx.c:203 io_uring_cancel_generic+0x69c/0x9a0 io_uring/cancel.c:651 io_uring_files_cancel include/linux/io_uring.h:19 [inline] do_exit+0x2ce/0x2bd0 kernel/exit.c:911 do_group_exit+0xd3/0x2a0 kernel/exit.c:1112 get_signal+0x2671/0x26d0 kernel/signal.c:3034 arch_do_signal_or_restart+0x8f/0x7e0 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:41 [inline] exit_to_user_mode_loop+0x8c/0x540 kernel/entry/common.c:75 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] do_syscall_64+0x4ee/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fa02738f749 RSP: 002b:00007fa0281ae0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 00007fa0275e6098 RCX: 00007fa02738f749 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fa0275e6098 RBP: 00007fa0275e6090 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fa0275e6128 R14: 00007fff14e4fcb0 R15: 00007fff14e4fd98 There's really nothing wrong here, outside of processing these reads will take a LONG time. However, we can speed up the exit by checking the IO_WQ_BIT_EXIT inside the io_worker_handle_work() loop, as syzbot will exit the ring after queueing up all of these reads. Then once the first item is processed, io-wq will simply cancel the rest. That should avoid syzbot running into this complaint again.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-04-18
Generated
2026-05-07
AI Q&A
2026-02-14
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23113
EUVD
EUVD-2026-6115
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.12
linux linux_kernel 5.12
linux linux_kernel 5.12
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.7 (inc) to 6.12.68 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.8 (exc)
linux linux_kernel 6.19
linux linux_kernel From 5.12.1 (inc) to 6.6.122 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves the Linux kernel's io_uring subsystem, specifically the io-wq (I/O workqueue) component. The issue is that the system does not check the IO_WQ_BIT_EXIT flag inside the work run loop, which can cause the io-wq to take an excessively long time to exit when processing large read operations on /dev/msr* files.

The problem arises because /dev/msr* files do not support the read_iter() method, so the loop_rw_iter() function handles the reads, each returning 16MB of data and taking about 20 seconds. When many such reads are queued, processing them all can take longer than the system's uninterruptible sleep timeout, causing the task to be blocked for an extended period.

The fix involves checking the IO_WQ_BIT_EXIT flag inside the io_worker_handle_work() loop, allowing the system to cancel remaining work items early and speed up the exit process.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel's io-wq worker threads to become blocked for a very long time when processing large read requests on certain device files, such as /dev/msr*. This can lead to system performance degradation or delays in task completion.

Specifically, tasks may be stuck in an uninterruptible sleep state for over two minutes, which could affect system responsiveness and stability, especially under heavy I/O workloads involving these device files.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by observing if tasks related to io_uring/io-wq are blocked for an unusually long time, specifically more than 140 seconds, which triggers a kernel hung task timeout message.

A typical indication is a kernel log message similar to: "INFO: task syz.4.135:6326 blocked for more than 143 seconds." This message shows that the io-wq worker is stuck processing large reads from /dev/msr* files.

To detect this on your system, you can monitor kernel logs for hung task warnings related to io_uring or io-wq workers.

There are no specific commands provided in the context to detect this vulnerability directly.


What immediate steps should I take to mitigate this vulnerability?

An immediate mitigation step is to disable the kernel hung task timeout message by running the command: echo 0 > /proc/sys/kernel/hung_task_timeout_secs

This will prevent the kernel from complaining about tasks blocked for more than the default timeout (140 seconds), which is triggered by the long processing time of large reads in io-wq.

However, this does not fix the underlying issue but avoids the complaint message.

The permanent fix involves a kernel update that changes the io_worker_handle_work() loop to check IO_WQ_BIT_EXIT more frequently, allowing io-wq to cancel pending work faster and avoid long blocking.

Therefore, applying the updated Linux kernel patch that resolves this issue is the recommended long-term mitigation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart