A data race exists in the Linux kernel’s ublk subsystem where the ublksrv_ctrl_cmd structure located in a userspace‑mapped io_uring submission queue entry is accessed with normal loads. Because the kernel may read this structure concurrently while userspace writes to it, the loaded values can be torn or stale, potentially causing the kernel to interpret an incorrect command. This flaw could allow an attacker to influence the device command processing and potentially execute an unintended operation or destabilize the kernel. The underlying weakness is a race condition that violates proper atomic access to shared data.

All Linux kernel implementations that expose the ublk driver and allow userspace applications to submit io_uring submission queue entries containing ublksrv_ctrl_cmd structures are affected. The bug exists in every kernel release until the patch that introduces the READ_ONCE() macro to copy the structure to the stack is applied.

The CVSS score is not provided and the EPSS score is unavailable, suggesting no known widespread exploitation. The flaw is listed as not present in the CISA KEV catalog, indicating it has not yet been featured in publicly known exploits. Nonetheless, the race condition can be triggered when an attacker can write to the userspace memory mapped into the kernel, so any user space program that interacts with ublk through io_uring may be a potential attack vector. The threat level is therefore considered moderate, but the recommended action is to patch the kernel before any attackers can take advantage.