CVE-2026-52933
Analyzed Analyzed - Analysis Complete

Integer Overflow in Linux Kernel io_uring Polling Mechanism

Vulnerability report for CVE-2026-52933, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: fix signed comparison in io_poll_get_ownership() io_poll_get_ownership() uses a signed comparison to check whether poll_refs has reached the threshold for the slowpath: if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS)) atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG (BIT(31)) is set in poll_refs, the value becomes negative in signed arithmetic, so the >= 128 comparison always evaluates to false and the slowpath is never taken. Fix this by casting the atomic_read() result to unsigned int before the comparison, so that the cancel flag is treated as a large positive value and correctly triggers the slowpath.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-08
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.1
linux linux_kernel 6.1
linux linux_kernel 6.1
linux linux_kernel From 6.0.11 (inc) to 6.1 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.86 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.140 (exc)
linux linux_kernel From 6.1.1 (inc) to 6.1.175 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.27 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
linux linux_kernel From 5.15.82 (inc) to 5.16 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is in the Linux kernel's io_uring subsystem, specifically in the function io_poll_get_ownership(). The issue arises because the function uses a signed comparison to check if a counter (poll_refs) has reached a certain threshold (IO_POLL_REF_BIAS).

The problem is that poll_refs is read using atomic_read(), which returns a signed integer. When a particular flag (IO_POLL_CANCEL_FLAG) is set in poll_refs, it sets the highest bit, making the signed integer negative. Because of this, the comparison to check if poll_refs is greater than or equal to 128 always evaluates to false, preventing the intended slowpath code from executing.

The fix involves casting the result of atomic_read() to an unsigned integer before the comparison, so that the cancel flag is treated as a large positive number and the slowpath is correctly triggered.

Impact Analysis

This vulnerability involves a signed comparison error in the Linux kernel's io_uring polling mechanism. Specifically, the function io_poll_get_ownership() incorrectly handles a cancel flag due to signed integer comparison, causing the slowpath to never be triggered when it should be. This could potentially lead to incorrect behavior in the polling mechanism, possibly affecting the reliability or correctness of I/O operations that rely on io_uring.

Mitigation Strategies

The vulnerability is fixed in the Linux kernel by correcting the signed comparison in the io_poll_get_ownership() function. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52933. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart