Description
In the Linux kernel, the following vulnerability has been resolved:

io_uring/waitid: clear waitid info before copying it to userspace

IORING_OP_WAITID stores its result fields in struct io_waitid::info and
later copies them to userspace siginfo. The prep path initializes the
request arguments, but it does not initialize info itself.

If the wait operation completes without reporting a child event, the common
wait code can return without writing wo_info. In that case io_waitid_finish()
still copies iw->info to userspace, exposing stale bytes from the reused
io_kiocb command storage.

Clear the result storage during prep so the io_uring path matches the
regular waitid syscall, which uses a zero-initialized struct waitid_info.
Published: 2026-06-09
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel’s io_uring waitid operation can return without populating a result structure when no child event occurs, yet the code copies that uninitialized structure to user space. This exposes stale kernel memory contents to the calling process, allowing an attacker to leak arbitrary data from the kernel. The flaw does not directly allow code execution but can aid in reconnaissance or privilege escalation by revealing secret information.

Affected Systems

All Linux kernel implementations that include the io_uring subsystem and have not applied the fix referenced in the commit logs. The CVE description does not specify exact version ranges, so any kernel lacking the update is potentially vulnerable. Administrators should verify the kernel version and consult the vendor’s patch notes.

Risk and Exploitability

The vulnerability can be exercised by a local user that has permission to create an io_uring instance and submit a WAITID request. Because the information exposed stems from kernel memory, an attacker could gather sensitive data. The flaw has a CVSS score of 5.5, and the EPSS score is less than 1%. No public exploits are recorded. The KEV catalog does not list the vulnerability, suggesting it has not been actively exploited in the wild. However, the potential for information disclosure warrants prompt patching, especially in environments handling sensitive data.

Generated by OpenCVE AI on June 10, 2026 at 01:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel patch that addresses CVE-2026-46315 to ensure the waitid result structure is properly zero‑initialized before copying to userspace.
  • If immediate kernel upgrade is not feasible, block or restrict io_uring upgrades that use the WAITID operation via SELinux/AppArmor or seccomp filters, effectively preventing the vulnerable code path from being invoked.
  • Verify that no other processes can exploit stale data by auditing active io_uring instances and applying kernel hardening settings such as "kernel.randomize_va_space" or "kernel.core_pattern" to limit information leakage.

Generated by OpenCVE AI on June 10, 2026 at 01:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-909
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 09 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-758

Tue, 09 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: io_uring/waitid: clear waitid info before copying it to userspace IORING_OP_WAITID stores its result fields in struct io_waitid::info and later copies them to userspace siginfo. The prep path initializes the request arguments, but it does not initialize info itself. If the wait operation completes without reporting a child event, the common wait code can return without writing wo_info. In that case io_waitid_finish() still copies iw->info to userspace, exposing stale bytes from the reused io_kiocb command storage. Clear the result storage during prep so the io_uring path matches the regular waitid syscall, which uses a zero-initialized struct waitid_info.
Title io_uring/waitid: clear waitid info before copying it to userspace
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-09T07:38:13.713Z

Reserved: 2026-05-13T15:03:33.111Z

Link: CVE-2026-46315

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T09:16:30.330

Modified: 2026-06-09T09:16:30.330

Link: CVE-2026-46315

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-09T00:00:00Z

Links: CVE-2026-46315 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:00:13Z

Weaknesses