CVE-2026-52933
Received Received - Intake
Integer Overflow in Linux Kernel io_uring Polling Mechanism

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: fix signed comparison in io_poll_get_ownership() io_poll_get_ownership() uses a signed comparison to check whether poll_refs has reached the threshold for the slowpath: if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS)) atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG (BIT(31)) is set in poll_refs, the value becomes negative in signed arithmetic, so the >= 128 comparison always evaluates to false and the slowpath is never taken. Fix this by casting the atomic_read() result to unsigned int before the comparison, so that the cancel flag is treated as a large positive value and correctly triggers the slowpath.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52933
EUVD
EUVD-2026-38703
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is in the Linux kernel's io_uring subsystem, specifically in the function io_poll_get_ownership(). The issue arises because the function uses a signed comparison to check if a counter (poll_refs) has reached a certain threshold (IO_POLL_REF_BIAS).

The problem is that poll_refs is read using atomic_read(), which returns a signed integer. When a particular flag (IO_POLL_CANCEL_FLAG) is set in poll_refs, it sets the highest bit, making the signed integer negative. Because of this, the comparison to check if poll_refs is greater than or equal to 128 always evaluates to false, preventing the intended slowpath code from executing.

The fix involves casting the result of atomic_read() to an unsigned integer before the comparison, so that the cancel flag is treated as a large positive number and the slowpath is correctly triggered.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52933. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart