CVE-2026-23275
Received Received - Intake
Use-After-Free Vulnerability in Linux Kernel io_uring Task Work

Publication date: 2026-03-20

Last updated on: 2026-04-02

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: io_uring: ensure ctx->rings is stable for task work flags manipulation If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while the ring is being resized, it's possible for the OR'ing of IORING_SQ_TASKRUN to happen in the small window of swapping into the new rings and the old rings being freed. Prevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is protected by RCU. The task work flags manipulation is inside RCU already, and if the resize ring freeing is done post an RCU synchronize, then there's no need to add locking to the fast path of task work additions. Note: this is only done for DEFER_TASKRUN, as that's the only setup mode that supports ring resizing. If this ever changes, then they too need to use the io_ctx_mark_taskrun() helper.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-02
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23275
EUVD
EUVD-2026-13611
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel *
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's io_uring subsystem. It occurs when task work flags are manipulated during ring resizing while using DEFER_TASKRUN or SETUP_TASKRUN modes. Specifically, if task work is added while the ring is being resized, there is a small window where the OR'ing of the IORING_SQ_TASKRUN flag can happen between swapping into new rings and freeing the old rings, potentially causing instability.

The fix involves adding a second pointer, rings_rcu, protected by Read-Copy-Update (RCU) mechanisms to ensure stability. This allows task work flags manipulation to be safely done inside RCU without adding locking overhead to the fast path of task work additions.


How can this vulnerability impact me? :

This vulnerability could lead to instability or unexpected behavior in the Linux kernel's io_uring subsystem when resizing rings during task work flag manipulation. Such instability might cause kernel crashes or unpredictable system behavior, potentially affecting system reliability and performance.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by ensuring the stability of ctx->rings during task work flags manipulation. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Specifically, the fix involves adding a second rings pointer (rings_rcu) protected by RCU to prevent issues during ring resizing when using DEFER_TASKRUN or SETUP_TASKRUN flags.

Therefore, the immediate step is to apply the kernel update that contains this patch.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart