Description
In the Linux kernel, the following vulnerability has been resolved:

io_uring/kbuf: always use READ_ONCE() to read ring provided buffer lengths

Since the buffers are mapped from userspace, it is prudent to use
READ_ONCE() to read the value into a local variable, and use that for
any other actions taken. Having a stable read of the buffer length
avoids worrying about it changing after checking, or being read multiple
times.

Similarly, the buffer may well change in between it being picked and
being committed. Ensure the looping for incremental ring buffer commit
stops if it hits a zero sized buffer, as no further progress can be made
at that point.
Published: 2025-09-16
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Race condition that can lead to data corruption or denied service in Linux io_uring
Action: Patch
AI Analysis

Impact

The flaw occurs when the io_uring subsystem reads user‑supplied buffer lengths without using the READ_ONCE() macro. The kernel therefore reads a value that may change before subsequent actions are performed, which means the kernel could commit data with an incorrect or zero length. Such a mismatch can corrupt data or block further progress, potentially leading to a denial of service. The description explicitly notes that the buffer may change between selection and commitment, underscoring the risk of an inconsistent length being used.

Affected Systems

All Linux kernel releases not yet incorporating the READ_ONCE() change for io_uring buffer lengths are affected. The CPE data lists every generic Linux kernel as well as the 6.17 release candidates (RC1, RC2, RC3). Kernel 6.17 RC1 and newer contain the fix, so older kernels up to but not including those releases remain vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity; the EPSS score of less than 1% suggests that exploitation is unlikely in the wild. The vulnerability is not catalogued in the CISA KEV list. Based on the description, it is inferred that the attack vector would involve a local user process that submits carefully crafted io_uring requests with manipulated buffer lengths. This inference is not directly stated in the official data.

Generated by OpenCVE AI on April 21, 2026 at 19:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that incorporates the READ_ONCE fix for io_uring buffer lengths, such as kernel 6.17 RC1 or newer, or apply a vendor backported patch if available.
  • If an immediate kernel upgrade is not possible, ensure that all user‑space applications performing io_uring operations validate buffer lengths and avoid using zero‑length or unstable buffers before submission.
  • Consider disabling the io_uring interface or restricting its use on systems where the fix cannot be applied promptly.

Generated by OpenCVE AI on April 21, 2026 at 19:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29598 In the Linux kernel, the following vulnerability has been resolved: io_uring/kbuf: always use READ_ONCE() to read ring provided buffer lengths Since the buffers are mapped from userspace, it is prudent to use READ_ONCE() to read the value into a local variable, and use that for any other actions taken. Having a stable read of the buffer length avoids worrying about it changing after checking, or being read multiple times. Similarly, the buffer may well change in between it being picked and being committed. Ensure the looping for incremental ring buffer commit stops if it hits a zero sized buffer, as no further progress can be made at that point.
History

Sat, 11 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
References

Wed, 14 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*

Thu, 25 Sep 2025 10:00:00 +0000

Type Values Removed Values Added
References

Wed, 17 Sep 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
Vendors & Products Linux
Linux linux Kernel

Wed, 17 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 16 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: io_uring/kbuf: always use READ_ONCE() to read ring provided buffer lengths Since the buffers are mapped from userspace, it is prudent to use READ_ONCE() to read the value into a local variable, and use that for any other actions taken. Having a stable read of the buffer length avoids worrying about it changing after checking, or being read multiple times. Similarly, the buffer may well change in between it being picked and being committed. Ensure the looping for incremental ring buffer commit stops if it hits a zero sized buffer, as no further progress can be made at that point.
Title io_uring/kbuf: always use READ_ONCE() to read ring provided buffer lengths
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T21:36:54.462Z

Reserved: 2025-04-16T07:20:57.138Z

Link: CVE-2025-39816

cve-icon Vulnrichment

Updated: 2026-01-14T18:15:52.997Z

cve-icon NVD

Status : Modified

Published: 2025-09-16T13:15:56.790

Modified: 2026-04-11T13:16:35.397

Link: CVE-2025-39816

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-09-16T00:00:00Z

Links: CVE-2025-39816 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:15:26Z

Weaknesses