Description
In the Linux kernel, the following vulnerability has been resolved:

io_uring: ensure ctx->rings is stable for task work flags manipulation

If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while
the ring is being resized, it's possible for the OR'ing of
IORING_SQ_TASKRUN to happen in the small window of swapping into the
new rings and the old rings being freed.

Prevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is
protected by RCU. The task work flags manipulation is inside RCU
already, and if the resize ring freeing is done post an RCU synchronize,
then there's no need to add locking to the fast path of task work
additions.

Note: this is only done for DEFER_TASKRUN, as that's the only setup mode
that supports ring resizing. If this ever changes, then they too need to
use the io_ctx_mark_taskrun() helper.
Published: 2026-03-20
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in the Linux kernel io_uring implementation can cause the IORING_SQ_TASKRUN flag to be incorrectly applied while a ring buffer is being resized. During the brief window in which the old rings are freed and the new ones swapped, kernel memory corruption or a crash can occur. Based on the description, it is inferred that the flaw does not provide a direct path for privilege escalation, but it can result in a denial of service by triggering a kernel panic.

Affected Systems

All Linux kernel configurations that include the io_uring API and support DEFER_TASKRUN mode before the patch are affected. The CPE list shows generic Linux kernel and Linux kernel releases 7.0‑rc1 through 7.0‑rc3. Any distribution using these kernels without the fix is vulnerable.

Risk and Exploitability

The CVSS score of 7.8 reflects high severity for a local denial of service. The EPSS score of less than 1% indicates low likelihood of exploitation in the wild. The vulnerability is not listed in CISA KEV. Based on the description, it is inferred that exploitation requires local privileged code to manipulate io_uring and trigger a ring resize; it does not provide remote access or privilege escalation.

Generated by OpenCVE AI on May 26, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-recommended kernel update that includes the io_uring ring stability patch, which resolves the race condition identified by CWE-366 by adding RCU-protected ring pointers.
  • If upgrading the kernel is not immediately possible, backport the patch that introduces the second RCU‑protected rings pointer (io_ctx_mark_taskrun) to your kernel build, thereby mitigating the CWE‑366 race condition.
  • While awaiting a permanent fix, limit or disable DEFER_TASKRUN mode for privileged workloads or block io_uring usage in critical services to avoid the race window that can lead to a denial of service.

Generated by OpenCVE AI on May 26, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-366
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 20 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Fri, 20 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Fri, 20 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: io_uring: ensure ctx->rings is stable for task work flags manipulation If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while the ring is being resized, it's possible for the OR'ing of IORING_SQ_TASKRUN to happen in the small window of swapping into the new rings and the old rings being freed. Prevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is protected by RCU. The task work flags manipulation is inside RCU already, and if the resize ring freeing is done post an RCU synchronize, then there's no need to add locking to the fast path of task work additions. Note: this is only done for DEFER_TASKRUN, as that's the only setup mode that supports ring resizing. If this ever changes, then they too need to use the io_ctx_mark_taskrun() helper.
Title io_uring: ensure ctx->rings is stable for task work flags manipulation
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:03:42.916Z

Reserved: 2026-01-13T15:37:45.991Z

Link: CVE-2026-23275

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T09:16:13.223

Modified: 2026-05-22T18:16:37.300

Link: CVE-2026-23275

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-20T00:00:00Z

Links: CVE-2026-23275 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T17:30:10Z

Weaknesses