Description
In the Linux kernel, the following vulnerability has been resolved:

io_uring/zcrx: fix user_struct uaf

io_free_rbuf_ring() usees a struct user_struct, which
io_zcrx_ifq_free() puts it down before destroying the ring.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free condition exists in the io_uring/zcrx subsystem of the Linux kernel. The flaw arises when io_free_rbuf_ring releases a struct user_struct that has already been freed by io_zcrx_ifq_free, allowing an attacker to use the stale reference. Such a flaw can lead to arbitrary code execution or corruption of kernel memory, potentially giving an attacker elevated privileges on the affected system.

Affected Systems

All Linux kernel implementations that include the io_uring/zcrx feature are impacted. The vulnerability applies to any distribution that ships the vulnerable kernel; specific affected versions are not listed in the advisory, so all kernel releases prior to the patch commit should be considered at risk.

Risk and Exploitability

The CVSS score is not provided, and the EPSS score is not available, so the exact likelihood of exploitation is unclear. The vulnerability is not listed in the CISA KEV catalog. Based on the type of flaw, a malicious local attacker able to trigger the double free could potentially gain root level privileges or destabilize the system. The attack vector is likely local, requiring interaction with the io_uring subsystem or a specially crafted payload that causes the double free to occur.

Generated by OpenCVE AI on May 27, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel version that contains the io_uring/zcrx user_struct fix (verify that the commit referenced in the advisory is present).
  • If kernel updates are not available, disable io_uring or terminate processes that use it to eliminate the vulnerable code path.
  • Actively monitor the system for kernel panics or suspicious activity that might indicate exploitation attempts.

Generated by OpenCVE AI on May 27, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix user_struct uaf io_free_rbuf_ring() usees a struct user_struct, which io_zcrx_ifq_free() puts it down before destroying the ring.
Title io_uring/zcrx: fix user_struct uaf
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:55:48.587Z

Reserved: 2026-05-13T15:03:33.091Z

Link: CVE-2026-45995

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:17.080

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45995

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T17:15:38Z

Weaknesses