CVE-2026-46315
Received Received - Intake
Memory Corruption in Linux Kernel io_uring

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: io_uring/waitid: clear waitid info before copying it to userspace IORING_OP_WAITID stores its result fields in struct io_waitid::info and later copies them to userspace siginfo. The prep path initializes the request arguments, but it does not initialize info itself. If the wait operation completes without reporting a child event, the common wait code can return without writing wo_info. In that case io_waitid_finish() still copies iw->info to userspace, exposing stale bytes from the reused io_kiocb command storage. Clear the result storage during prep so the io_uring path matches the regular waitid syscall, which uses a zero-initialized struct waitid_info.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-46315
EUVD
EUVD-2026-35373
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's io_uring subsystem, specifically in the handling of the IORING_OP_WAITID operation. The issue arises because the structure that stores result fields (io_waitid::info) is not properly cleared before being copied to userspace. If the wait operation completes without reporting a child event, stale data from previously used memory can be exposed to userspace, potentially leaking unintended information.

Impact Analysis

The vulnerability can lead to information leakage by exposing stale bytes from reused kernel memory to userspace applications. This means that sensitive or unintended data from previous operations might be accessible to an attacker or unprivileged user, potentially compromising system confidentiality.

Mitigation Strategies

The vulnerability has been resolved by clearing the waitid info structure before copying it to userspace in the Linux kernel's io_uring implementation.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46315. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart