Description
In the Linux kernel, the following vulnerability has been resolved:

io_uring/poll: fix signed comparison in io_poll_get_ownership()

io_poll_get_ownership() uses a signed comparison to check whether
poll_refs has reached the threshold for the slowpath:

if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))

atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG
(BIT(31)) is set in poll_refs, the value becomes negative in
signed arithmetic, so the >= 128 comparison always evaluates to
false and the slowpath is never taken.

Fix this by casting the atomic_read() result to unsigned int
before the comparison, so that the cancel flag is treated as a
large positive value and correctly triggers the slowpath.
Published: 2026-06-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel vulnerability stems from an incorrect signed comparison in io_poll_get_ownership() that checks whether poll_refs has reached a threshold for the slow path: if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS)) . Because atomic_read() returns a signed int, setting the IO_POLL_CANCEL_FLAG bit (BIT(31)) causes the value to become negative in signed arithmetic, so the comparison always fails and the slow path that cancels a pending request is never entered. This oversight can allow an io_uring poll request to remain pending indefinitely, potentially exhausting kernel resources and resulting in a denial of service. The flaw is a signed comparison error – a CWE‑1024 weakness. Ongoing risk remains high for systems that have not adopted the patch that casts the atomic_read() result to unsigned before performing the comparison. The CVSS score of 7.8 indicates a high severity for the vulnerability, while the EPSS score of <1% suggests a low probability of exploitation at this time. The flaw requires local access for an attacker capable of submitting io_uring poll requests. The vulnerability is not listed in CISA’s KEV catalog, indicating no known widespread attacks. States that local attackers with sufficient privileges could cause resource exhaustion or deny service by abusing long‑running io_uring poll requests until the kernel patch is applied. The likely attack vector is local, affecting any user sharing the compromised kernel instance. The impact includes denial of service to users on the affected system.

Affected Systems

All Linux kernels that have not incorporated the patch commit 326941b22806cbf2df1fbfe902b7908b368cce42 or an equivalent change are affected. The CNA lists the product as Linux:Linux, so any distribution kernel built from the impacted source lines is impacted. The specific version range is not enumerated in the CNA data, but any build prior to the patch is vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, while the EPSS score of <1% shows a low probability of exploitation at this time. The vulnerability is not listed in CISA KEV, suggesting no known widespread attacks have been observed. The flaw requires local access to the kernel—an attacker with sufficient privileges who can submit io_uring poll requests could cause resource exhaustion or denial of operations. The attack vector is local, affecting all users sharing the compromised kernel instance.

Generated by OpenCVE AI on June 28, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the commit 326941b22806cbf2df1fbfe902b7908b368cce42 or later.
  • If an immediate kernel upgrade is not possible, recompile the kernel with the io_uring poll feature disabled (CONFIG_IO_URING_POLL=n).
  • Limit the number of concurrent io_uring poll requests in applications or use system controls to monitor and cap pending poll counts until the kernel patch is in place.

Generated by OpenCVE AI on June 28, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
Ubuntu USN Ubuntu USN USN-8488-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8489-1 Linux kernel (OEM) vulnerabilities
Ubuntu USN Ubuntu USN USN-8488-2 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-8507-1 Linux kernel (NVIDIA) vulnerabilities
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Thu, 25 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
CWE-194

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1024
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
CWE-194

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: fix signed comparison in io_poll_get_ownership() io_poll_get_ownership() uses a signed comparison to check whether poll_refs has reached the threshold for the slowpath: if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS)) atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG (BIT(31)) is set in poll_refs, the value becomes negative in signed arithmetic, so the >= 128 comparison always evaluates to false and the slowpath is never taken. Fix this by casting the atomic_read() result to unsigned int before the comparison, so that the cancel flag is treated as a large positive value and correctly triggers the slowpath.
Title io_uring/poll: fix signed comparison in io_poll_get_ownership()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:36:54.123Z

Reserved: 2026-06-09T07:44:35.369Z

Link: CVE-2026-52933

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52933 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:45:17Z

Weaknesses
  • CWE-1024

    Comparison of Incompatible Types