Description
In the Linux kernel, the following vulnerability has been resolved:

io_uring: ensure ctx->rings is stable for task work flags manipulation

If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while
the ring is being resized, it's possible for the OR'ing of
IORING_SQ_TASKRUN to happen in the small window of swapping into the
new rings and the old rings being freed.

Prevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is
protected by RCU. The task work flags manipulation is inside RCU
already, and if the resize ring freeing is done post an RCU synchronize,
then there's no need to add locking to the fast path of task work
additions.

Note: this is only done for DEFER_TASKRUN, as that's the only setup mode
that supports ring resizing. If this ever changes, then they too need to
use the io_ctx_mark_taskrun() helper.
Published: 2026-03-20
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A race condition exists in the Linux kernel io_uring subsystem that may cause the IORING_SQ_TASKRUN flag to be incorrectly applied while a ring buffer is being resized. During the brief window when the old rings are freed and replacement rings are swapped in, the task work flags manipulation can corrupt memory or cause a kernel crash. The vulnerable behavior does not directly grant an attacker code execution, but a crash could allow a local privileged attacker to gain escalated privileges or disrupt system availability.

Affected Systems

All Linux kernel distributions are potentially affected when the affected kernel version implements the io_uring feature set described. No specific kernel release versions are listed in the available data, so any kernel that includes io_uring support prior to the fix should be considered vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity vulnerability, and the low EPSS (<1%) suggests exploitation is unlikely in the wild. The vulnerability is not currently listed in the CISA KEV catalog. The attack vector is local to the kernel, requiring the attacker to execute privileged code that can manipulate task work or trigger a ring resize. Because the issue is tied to kernel memory management, exploitation would be relatively complex and is not known to be actively weaponized.

Generated by OpenCVE AI on April 2, 2026 at 16:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the io_uring ring stability fix
  • If update is not immediately available, verify distribution security advisories for interim patches
  • Monitor kernel updates and verify the patch is in place by checking the kernel version and commit log

Generated by OpenCVE AI on April 2, 2026 at 16:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-366
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 20 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Fri, 20 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Fri, 20 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: io_uring: ensure ctx->rings is stable for task work flags manipulation If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while the ring is being resized, it's possible for the OR'ing of IORING_SQ_TASKRUN to happen in the small window of swapping into the new rings and the old rings being freed. Prevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is protected by RCU. The task work flags manipulation is inside RCU already, and if the resize ring freeing is done post an RCU synchronize, then there's no need to add locking to the fast path of task work additions. Note: this is only done for DEFER_TASKRUN, as that's the only setup mode that supports ring resizing. If this ever changes, then they too need to use the io_ctx_mark_taskrun() helper.
Title io_uring: ensure ctx->rings is stable for task work flags manipulation
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-02T14:44:10.861Z

Reserved: 2026-01-13T15:37:45.991Z

Link: CVE-2026-23275

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T09:16:13.223

Modified: 2026-04-02T15:16:29.997

Link: CVE-2026-23275

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-20T00:00:00Z

Links: CVE-2026-23275 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:23:15Z

Weaknesses